CVE-2023-31136
Description
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
CWE
- CWE-522 — CWE-522: Insufficiently Protected Credentials
Affected
- vapor / postgres-nio — v=< 1.14.2 [affected]
CVSS
- 3.1 score=3.7 severity=LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References
- https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv x_refsource_CONFIRM
- https://github.com/apple/swift-nio/pull/2419 x_refsource_MISC
- https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7 x_refsource_MISC
- https://github.com/advisories/GHSA-467w-rrqc-395f x_refsource_MISC
- https://github.com/advisories/GHSA-735f-7qx4-jqq5 x_refsource_MISC
- https://github.com/vapor/postgres-nio/releases/tag/1.14.2 x_refsource_MISC
- https://www.postgresql.org/support/security/CVE-2021-23214/ x_refsource_MISC
- https://www.postgresql.org/support/security/CVE-2021-23222/ x_refsource_MISC
Source
cvelistV5-main/cves/2023/31xxx/CVE-2023-31136.json