CVE-2021-43767

MEDIUM

Odyssey - Info Disclosure

Title source: llm

Description

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

References (2)

[Not Applicable, Vendor Advisory] https://www.postgresql.org/support/security/CVE-2021-23222/

[Issue Tracking] https://github.com/yandex/odyssey/issues/377%2C

Scores

CVSS v3 5.9

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-295 CWE-522

Status published

Affected Products (2)

postgresql/postgresql < 9.6.24

postgresql/postgresql

Timeline

Published Aug 25, 2022

Tracked Since Feb 18, 2026