CVE-2020-25694

MEDIUM

Description

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1894423

https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html

https://security.gentoo.org/glsa/202012-07

https://security.netapp.com/advisory/ntap-20201202-0003/

https://www.postgresql.org/support/security/

Details

Source: MITRE

Published: 2020-11-16

Updated: 2020-12-07

Type: CWE-327

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH

Tenable Plugins

View all (44 total)

ID	Name	Product	Family	Severity
146831	openSUSE Security Update : postgresql / postgresql13 (openSUSE-2021-337)	Nessus	SuSE Local Security Checks	high
146009	CentOS 8 : postgresql:9.6 (CESA-2020:5619)	Nessus	CentOS Local Security Checks	high
146002	CentOS 8 : postgresql:12 (CESA-2020:5620)	Nessus	CentOS Local Security Checks	high
145829	CentOS 8 : postgresql:10 (CESA-2020:5567)	Nessus	CentOS Local Security Checks	high
145490	SUSE SLES12 Security Update : postgresql, postgresql12, postgresql13 (SUSE-SU-2021:0217-1)	Nessus	SuSE Local Security Checks	high
145243	RHEL 8 : postgresql:10 (RHSA-2021:0166)	Nessus	Red Hat Local Security Checks	high
145239	SUSE SLED15 / SLES15 Security Update : postgresql, postgresql13 (SUSE-SU-2021:0175-1)	Nessus	SuSE Local Security Checks	high
145227	RHEL 8 : postgresql:9.6 (RHSA-2021:0167)	Nessus	Red Hat Local Security Checks	high
145226	RHEL 8 : libpq (RHSA-2021:0165)	Nessus	Red Hat Local Security Checks	high
145044	RHEL 8 : postgresql:12 (RHSA-2021:0163)	Nessus	Red Hat Local Security Checks	high
145043	RHEL 8 : postgresql:9.6 (RHSA-2021:0164)	Nessus	Red Hat Local Security Checks	high
145042	RHEL 8 : postgresql:10 (RHSA-2021:0161)	Nessus	Red Hat Local Security Checks	high
144988	Amazon Linux AMI : postgresql95, postgresql96 (ALAS-2021-1476)	Nessus	Amazon Linux Local Security Checks	high
144850	RHEL 8 : libpq (RHSA-2021:0057)	Nessus	Red Hat Local Security Checks	high
144605	RHEL 8 : libpq (RHSA-2020:5638)	Nessus	Red Hat Local Security Checks	high
144565	Oracle Linux 8 : ELSA-2020-5619-1: / postgresql:9.6 (ELSA-2020-56191)	Nessus	Oracle Linux Local Security Checks	high
144564	Oracle Linux 8 : ELSA-2020-5620-1: / postgresql:12 (ELSA-2020-56201)	Nessus	Oracle Linux Local Security Checks	high
144561	Oracle Linux 8 : ELSA-2020-5567-1: / postgresql:10 (ELSA-2020-55671)	Nessus	Oracle Linux Local Security Checks	high
144560	RHEL 8 : postgresql:9.6 (RHSA-2020:5661)	Nessus	Red Hat Local Security Checks	high
144559	RHEL 8 : postgresql:10 (RHSA-2020:5664)	Nessus	Red Hat Local Security Checks	high
144417	RHEL 8 : postgresql:12 (RHSA-2020:5620)	Nessus	Red Hat Local Security Checks	high
144401	RHEL 8 : postgresql:10 (RHSA-2020:5567)	Nessus	Red Hat Local Security Checks	high
144395	RHEL 8 : postgresql:9.6 (RHSA-2020:5619)	Nessus	Red Hat Local Security Checks	high
144213	Oracle Linux 8 : libpq (ELSA-2020-5401)	Nessus	Oracle Linux Local Security Checks	high
144204	RHEL 8 : libpq (RHSA-2020:5401)	Nessus	Red Hat Local Security Checks	high
144160	EulerOS 2.0 SP8 : postgresql (EulerOS-SA-2020-2526)	Nessus	Huawei Local Security Checks	high
144060	PostgreSQL 9.5.x < 9.5.24 / 9.6.x < 9.6.20 / 10.x < 10.15 / 11.x < 11.10 / 12.x < 12.5 / 13.x < 13.1 Multiple Vulnerabilities	Nessus	Databases	high
143871	SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2020:3476-1)	Nessus	SuSE Local Security Checks	high
143859	SUSE SLED15 / SLES15 Security Update : postgresql12 (SUSE-SU-2020:3463-1)	Nessus	SuSE Local Security Checks	high
143846	SUSE SLES15 Security Update : postgresql10 (SUSE-SU-2020:3455-1)	Nessus	SuSE Local Security Checks	high
143737	SUSE SLED15 / SLES15 Security Update : postgresql12 (SUSE-SU-2020:3425-1)	Nessus	SuSE Local Security Checks	high
143661	SUSE SLES12 Security Update : postgresql10 (SUSE-SU-2020:3464-1)	Nessus	SuSE Local Security Checks	high
143653	SUSE SLES12 Security Update : postgresql12 (SUSE-SU-2020:3630-1)	Nessus	SuSE Local Security Checks	high
143617	SUSE SLES12 Security Update : postgresql96 (SUSE-SU-2020:3477-1)	Nessus	SuSE Local Security Checks	high
143503	GLSA-202012-07 : PostgreSQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
143461	Debian DLA-2478-1 : postgresql-9.6 security update	Nessus	Debian Local Security Checks	high
143363	Photon OS 1.0: Postgresql PHSA-2020-1.0-0340	Nessus	PhotonOS Local Security Checks	medium
143362	Photon OS 2.0: Postgresql PHSA-2020-2.0-0298	Nessus	PhotonOS Local Security Checks	medium
143343	openSUSE Security Update : postgresql12 (openSUSE-2020-2018)	Nessus	SuSE Local Security Checks	high
143338	openSUSE Security Update : postgresql10 (openSUSE-2020-2019)	Nessus	SuSE Local Security Checks	high
143320	openSUSE Security Update : postgresql10 (openSUSE-2020-2028)	Nessus	SuSE Local Security Checks	high
143290	openSUSE Security Update : postgresql12 (openSUSE-2020-2029)	Nessus	SuSE Local Security Checks	high
143252	Photon OS 3.0: Postgresql PHSA-2020-3.0-0164	Nessus	PhotonOS Local Security Checks	medium
142968	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : PostgreSQL vulnerabilities (USN-4633-1)	Nessus	Ubuntu Local Security Checks	high