PostgreSQL up to 13.0 Client Application downgrade

Summaryinfo

A vulnerability was found in PostgreSQL up to 13.0. It has been classified as problematic. This affects an unknown function of the component Client Application Handler. This manipulation causes downgrade. This vulnerability appears as CVE-2020-25694. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as problematic was found in PostgreSQL up to 13.0 (Database Software). Affected by this vulnerability is an unknown code block of the component Client Application Handler. The manipulation with an unknown input leads to a downgrade vulnerability. The CWE definition for the vulnerability is CWE-757. A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. As an impact it is known to affect confidentiality.

The weakness was presented 11/16/2020 as 1894423. The advisory is shared at bugzilla.redhat.com. This vulnerability is known as CVE-2020-25694. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1562.010 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 213339 (Oracle Linux 7 : postgresql (ELSA-2024-10882)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.5.24, 9.6.20, 10.15, 11.10, 12.5 or 13.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (213339). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Database Software

Name

• PostgreSQL

Version

• 9.5.0
• 9.5.1
• 9.5.2
• 9.5.3
• 9.5.4
• 9.5.5
• 9.5.6
• 9.5.7
• 9.5.8
• 9.5.9
• 9.5.10
• 9.5.11
• 9.5.12
• 9.5.13
• 9.5.14
• 9.5.15
• 9.5.16
• 9.5.17
• 9.5.18
• 9.5.19
• 9.5.20
• 9.5.21
• 9.5.22
• 9.5.23
• 9.6.0
• 9.6.1
• 9.6.2
• 9.6.3
• 9.6.4
• 9.6.5
• 9.6.6
• 9.6.7
• 9.6.8
• 9.6.9
• 9.6.10
• 9.6.11
• 9.6.12
• 9.6.13
• 9.6.14
• 9.6.15
• 9.6.16
• 9.6.17
• 9.6.18
• 9.6.19
• 10.0
• 10.1
• 10.2
• 10.3
• 10.4
• 10.5
• 10.6
• 10.7
• 10.8
• 10.9
• 10.10
• 10.11
• 10.12
• 10.13
• 10.14
• 11.0
• 11.1
• 11.2
• 11.3
• 11.4
• 11.5
• 11.6
• 11.7
• 11.8
• 11.9
• 12.0
• 12.1
• 12.2
• 12.3
• 12.4
• 13.0

License

• open-source

Website

• Product: https://www.postgresql.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion