pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

认证机制不恰当

pgJDBC 授权问题漏洞

pgJDBC是pgJDBC开源的一个PostgreSQL驱动。 pgJDBC 42.7.4至42.7.7版本存在授权问题漏洞，该漏洞源于通道绑定配置不当，可能导致中间人攻击。

N/A

N/A