logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-31136 postgres-nio

Package

Manager: swift
Name: postgres-nio
Vulnerable Version: >=0 <1.14.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00204 pctl0.42736

Details

PostgresNIO processes unencrypted bytes from man-in-the-middle ### Impact Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. _The remaining text in this section is quoted verbatim from [PostgreSQL's CVE-2021-23222 advisory](https://www.postgresql.org/support/security/CVE-2021-23222/):_ > If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). As with any exploitation of [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/), the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient). ### Patches The vulnerability is addressed in PostgresNIO versions starting from [1.14.2](https://github.com/vapor/postgres-nio/releases/tag/1.14.2) via [2df54bc94607f44584ae6ffa74e3cd754fffafc7](https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7), which required [additional support](https://github.com/apple/swift-nio/pull/2419) from SwiftNIO. ### Workarounds There are no known workarounds for unpatched users. ### Additional Credits Special thanks to PostgreSQL's Tom Lane <[tgl@sss.pgh.pa.us](mailto:tgl@sss.pgh.pa.us)> for reporting this issue! ### References - [PostgreSQL security advisory for CVE-2021-23222](https://www.postgresql.org/support/security/CVE-2021-23222/) - [GitHub security advisory GHSA-735f-7qx4-jqq5 for CVE-2021-23222](https://github.com/advisories/GHSA-735f-7qx4-jqq5) - [PostgreSQL security advisory for CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/) - [GitHub security advisory GHSA-467w-rrqc-395f for CVE-2021-23214](https://github.com/advisories/GHSA-467w-rrqc-395f) - [SwiftNIO PR #2419 Add unprocessedBytes property on NIOSingleStepByteToMessageProcessor](https://github.com/apple/swift-nio/pull/2419) - [PostgresNIO commit 2df54bc94607f44584ae6ffa74e3cd754fffafc7](https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7) - [PostgresNIO 1.42.2 release](https://github.com/vapor/postgres-nio/releases/tag/1.14.2)

Metadata

Created: 2023-05-10T19:20:16Z
Modified: 2023-05-10T19:20:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-9cfh-vx93-84vv/GHSA-9cfh-vx93-84vv.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-9cfh-vx93-84vv
Finding: F035
Auto approve: 1