CVE-2021-23214

HIGH

Server - SQL Injection

Title source: llm

Description

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

References (5)

Core 5

Core References

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202211-04

Issue Tracking, Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2022666

Patch, Third Party Advisory

https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951

View Patch ZIP pw:eip

Vendor Advisory

https://www.postgresql.org/support/security/CVE-2021-23214/

Various Sources

https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951

Scores

CVSS v3 8.1

EPSS 0.0019

EPSS Percentile 40.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (8)

fedoraproject/fedora 34

fedoraproject/fedora 35

postgresql/postgresql 14.0

postgresql/postgresql < 9.6.24

redhat/enterprise_linux 8.0

redhat/enterprise_linux_for_ibm_z_systems 8.0

redhat/enterprise_linux_for_power_little_endian 8.0

redhat/software_collections 1.0

Published Mar 04, 2022

Tracked Since Feb 18, 2026