CVE-2018-10936
Summary
| CVE | CVE-2018-10936 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-08-30 13:29:00 UTC |
|---|
| Updated | 2023-11-07 02:51:00 UTC |
|---|
| Description | A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| 1622225 – (CVE-2018-10936) CVE-2018-10936 PostgreSQL: Postgres JDBC driver does not perform host name validation by default |
CONFIRM |
bugzilla.redhat.com |
Issue Tracking, Mitigation, Third Party Advisory |
| PostgreSQL JDBC CVE-2018-10936 Man in the Middle Security Bypass Vulnerability |
BID |
www.securityfocus.com |
Third Party Advisory, VDB Entry |
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Pony Mail! |
|
lists.apache.org |
|
| PostgreSQL: PostgreSQL JDBC 42.2.5 Released (Security Fix CVE-2018-10936) |
CONFIRM |
www.postgresql.org |
Vendor Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983078 Java (maven) Security Update for org.postgresql:pgjdbc-aggregate (GHSA-568q-9fw5-28wf)
