CVE-2023-31136

medium

Description

PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.

References

https://www.postgresql.org/support/security/CVE-2021-23222/

https://www.postgresql.org/support/security/CVE-2021-23214/

https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv

https://github.com/vapor/postgres-nio/releases/tag/1.14.2

https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7

https://github.com/apple/swift-nio/pull/2419

https://github.com/advisories/GHSA-735f-7qx4-jqq5

https://github.com/advisories/GHSA-467w-rrqc-395f

Details

Source: Mitre, NVD

Published: 2023-05-09

Updated: 2023-05-16

Risk Information

CVSS v2

Base Score: 5.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium