CVE-2021-43767

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-43767

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43767.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-43767

Aliases

BIT-postgresql-2021-43767

Published

2022-08-25T18:15:09Z

Modified

2024-10-12T08:37:42.603172Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

References

Affected packages

Git / git.postgresql.org/git/postgresql.git

Affected ranges

Type: GIT
Repo: https://git.postgresql.org/git/postgresql.git
Events: Introduced

a721a1ba9cf6c86cb52f1bf325d5a27b64e870d6

Fixed

a4116b8d5a4f68803452d8f1aa3f74f302049a90

Affected versions

Other

REL9_6_0

REL9_6_1

REL9_6_10

REL9_6_11

REL9_6_12

REL9_6_13

REL9_6_14

REL9_6_15

REL9_6_16

REL9_6_17

REL9_6_18

REL9_6_19

REL9_6_2

REL9_6_20

REL9_6_21

REL9_6_22

REL9_6_23

REL9_6_3

REL9_6_4

REL9_6_5

REL9_6_6

REL9_6_7

REL9_6_8

REL9_6_9