Vulnerability Details : CVE-2023-31136
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
Products affected by CVE-2023-31136
- cpe:2.3:a:vapor:postgresnio:*:*:*:*:*:postgresql:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-31136
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-31136
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST | |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.2
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-31136
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-31136
-
https://www.postgresql.org/support/security/CVE-2021-23222/
PostgreSQL: CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middleNot Applicable
-
https://github.com/apple/swift-nio/pull/2419
Add unprocessedBytes property on NIOSingleStepByteToMessageProcessor by fabianfett · Pull Request #2419 · apple/swift-nio · GitHubPatch
-
https://www.postgresql.org/support/security/CVE-2021-23214/
PostgreSQL: CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middleNot Applicable
-
https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv
PostgresNIO processes unencrypted bytes from man-in-the-middle · Advisory · vapor/postgres-nio · GitHubVendor Advisory
-
https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7
Merge pull request from GHSA-9cfh-vx93-84vv · vapor/postgres-nio@2df54bc · GitHubPatch
-
https://github.com/advisories/GHSA-467w-rrqc-395f
When the server is configured to use trust authentication... · CVE-2021-23214 · GitHub Advisory Database · GitHubNot Applicable
-
https://github.com/vapor/postgres-nio/releases/tag/1.14.2
Release PostgresNIO 1.14.2 · vapor/postgres-nio · GitHubRelease Notes
-
https://github.com/advisories/GHSA-735f-7qx4-jqq5
A man-in-the-middle attacker can inject false responses... · CVE-2021-23222 · GitHub Advisory Database · GitHubNot Applicable
Jump to