CVE-2018-10936

HIGH

postgresql-jdbc <42.2.5 - SSL Man-In-The-Middle

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-10936. PoCs published by dawetmaster, andikahilmy, tafamace.

AI-analyzed exploit summary This repository contains configuration and CI/CD files for testing PostgreSQL JDBC driver vulnerabilities, specifically CVE-2018-10936. It includes Travis CI scripts for building and testing the driver across multiple PostgreSQL and Java versions, but no actual exploit code.

Description

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

Exploits (3)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-10936-pgjdbc-vulnerable

This repository contains configuration and CI/CD files for testing PostgreSQL JDBC driver vulnerabilities, specifically CVE-2018-10936. It includes Travis CI scripts for building and testing the driver across multiple PostgreSQL and Java versions, but no actual exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: PostgreSQL JDBC Driver (pgjdbc)
No auth needed
Prerequisites: PostgreSQL server · Java environment · Travis CI setup
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-10936-pgjdbc-vulnerable

This repository contains configuration and CI/CD files for testing PostgreSQL JDBC driver vulnerabilities, specifically CVE-2018-10936. It includes Travis CI configurations for various PostgreSQL and JDK versions but lacks direct exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: PostgreSQL JDBC Driver (pgjdbc)
No auth needed
Prerequisites: PostgreSQL server · JDBC driver
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2018-10936

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality related to CVE-2018-10936. It lacks any offensive techniques or vulnerability-specific logic.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
Prerequisites: none
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105220
Vendor Advisory x_refsource_confirm
https://www.postgresql.org/about/news/1883/
Issue Tracking, Mitigation, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10936

Scores

CVSS v3 8.1
EPSS 0.0085
EPSS Percentile 75.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-297
Status published
Products (4)
org.postgresql/pgjdbc-aggregate 0 - 42.2.5Maven
postgresql/postgresql_jdbc_driver < 42.2.5
redhat/enterprise_linux 6.0
redhat/enterprise_linux 7.0
Published Aug 30, 2018
Tracked Since Feb 18, 2026