FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 03:12:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
2ccd71bd-426b-11ec-87db-6cc21735f730	PostgreSQL -- Possible man-in-the-middle attacks The PostgreSQL Project reports: CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.) CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214. Discovery 2021-11-08 Entry 2021-11-10 postgresql14-server < 14.1 postgresql13-server < 13.5 postgresql12-server < 12.9 postgresql11-server < 11.14 postgresql10-server < 10.19 postgresql96-server < 9.6.24 CVE-2021-23214 CVE-2021-23222

VuXML ID

Description

2ccd71bd-426b-11ec-87db-6cc21735f730

PostgreSQL -- Possible man-in-the-middle attacks

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

Discovery 2021-11-08
Entry 2021-11-10
postgresql14-server

< 14.1

postgresql13-server

< 13.5

postgresql12-server

< 12.9

postgresql11-server

< 11.14

postgresql10-server

< 10.19

postgresql96-server

< 9.6.24

CVE-2021-23214
CVE-2021-23222