Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.
This also fixes how the \connect command of psql reuses connection parameters, i.e. all non-overridden parameters from a previous connection string now re-used.
The PostgreSQL project thanks Peter Eisentraut for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 13 | 13.1 | Nov. 12, 2020 |
| 12 | 12.5 | Nov. 12, 2020 |
| 11 | 11.10 | Nov. 12, 2020 |
| 10 | 10.15 | Nov. 12, 2020 |
| 9.6 | 9.6.20 | Nov. 12, 2020 |
| 9.5 | 9.5.24 | Nov. 12, 2020 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 8.1 |
|---|---|
| Component | client |
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.