Published: 22/11/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 454

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions before 1.16.1.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pgbouncer pgbouncer
redhat enterprise linux 7.0
fedoraproject fedora 35
debian debian linux 9.0

A security issue has been found in PgBouncer before version 1161 A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session This could be abused to send faked SQL commands to the server, although that would only work if PgBounce ...

CWE-295 https://bugzilla.redhat.com/show_bug.cgi?id=2021251 http://www.pgbouncer.org/changelog.html#pgbouncer-116x https://lists.debian.org/debian-lts-announce/2022/02/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI/https://nvd.nist.gov https://security.archlinux.org/CVE-2021-3935

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-3935

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect