Exposure of sensitive information due to incompatible policies issue exists in Pgpool-II. If a database user accesses a query cache, table data unauthorized for the user may be retrieved.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5974 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5974-1                   security@debian.org     https://www.debian.org/security/                                  Aron Xu     August 13, 2025                       https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : pgpool2     CVE ID         : CVE-2024-45624 CVE-2025-46801     Debian Bug     : 1081659 1106119

    Two security issues were found in pgpool-II, the connection pool server     and replication proxy for PostgreSQL, which could result in authentication     bypass and exposure of sensitive information.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 4.3.5-1+deb12u1.

    We recommend that you upgrade your pgpool2 packages.

    For the detailed security status of pgpool2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/pgpool2

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Exposure of sensitive information due to incompatible policies issue exists in Pgpool-II. If a database     user accesses a query cache, table data unauthorized for the user may be retrieved. (CVE-2024-45624)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3993 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3993-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Abhijith PA     December 12, 2024                             https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : pgpool2     Version        : 4.1.4-3+deb11u1     CVE ID         : CVE-2023-22332 CVE-2024-45624

    Two vulnerabilities were discovered in pgpool2, a connection pool     server and replication proxy for PostgreSQL.

    CVE-2023-22332

        A specific database user's authentication information may be         obtained by another database user. As a result, the information         stored in the database may be altered and/or database may be         suspended by a remote attacker who successfully logged in the         product with the obtained credentials.

    CVE-2024-45624

        When the query cache feature is enabled, it was possible that a         database user can read rows from tables that should not be visible         for the user through query cache.

    For Debian 11 bullseye, these problems have been fixed in version     4.1.4-3+deb11u1.

    We recommend that you upgrade your pgpool2 packages.

    For the detailed security status of pgpool2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/pgpool2

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
277737	Debian dsa-5974 : libpgpool-dev - security update	Nessus	Debian Local Security Checks	critical
228586	Linux Distros Unpatched Vulnerability : CVE-2024-45624	Nessus	Misc.	high
212755	Debian dla-3993 : libpgpool-dev - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2024-45624

high

Tenable Plugins

critical

high

medium