CVE-2023-31136

LOW

PostgresNIO <1.14.2 - Info Disclosure

Title source: llm

Description

PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.

References (8)

[Not Applicable] https://github.com/advisories/GHSA-467w-rrqc-395f

[Not Applicable] https://github.com/advisories/GHSA-735f-7qx4-jqq5

[Patch] https://github.com/apple/swift-nio/pull/2419

[Patch] https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7

View Patch ZIP pw:eip

[Release Notes] https://github.com/vapor/postgres-nio/releases/tag/1.14.2

[Vendor Advisory] https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv

[Not Applicable] https://www.postgresql.org/support/security/CVE-2021-23214/

[Not Applicable] https://www.postgresql.org/support/security/CVE-2021-23222/

Scores

CVSS v3 3.7

EPSS 0.0020

EPSS Percentile 42.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

vapor/postgresnio < 1.14.2

SwiftURL/github.com/vapor/postgres-nio < 1.14.2SwiftURL

Timeline

Published May 09, 2023

Tracked Since Feb 18, 2026