CVE-2021-3935

Name
CVE-2021-3935
Description
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2021251
MISC http://www.pgbouncer.org/changelog.html#pgbouncer-116x
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI/
Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00016.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:* pgbouncer >= None < 1.16.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
pgbouncer 3.14-community 1.15.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable