Headline
CVE-2021-3935: server processes unencrypted bytes from man-in-the-middle
When PgBouncer is configured to use “cert” authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
Description Guilherme de Almeida Suckevicz 2021-11-08 16:33:51 UTC
When PgBouncer is configured to use “cert” authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption.
Comment 1 Guilherme de Almeida Suckevicz 2021-11-16 14:51:45 UTC
Created pgbouncer tracking bugs for this issue:
Affects: epel-all [bug 2023785] Affects: fedora-all [bug 2023784]
Comment 2 Product Security DevOps Team 2021-11-16 15:01:19 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.