An information disclosure vulnerability was found in Pgpool-II. The password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. Note that the following conditions are required for this vulnerability be exploitable: * Version 3.3 or later * Watchdog function is enabled (use_watchdog = on) * "query mode" is used for the alive monitoring of watchdog (wd_lifecheck_method = 'query') * Plain text password is set for wd_lifecheck_password References: https://www.pgpool.net/mediawiki/index.php/Main_Page https://www.postgresql.org/about/news/pgpool-ii-442-435-4212-4115-and-4022-released-2578/ https://jvn.jp/en/jp/JVN72418815/
Created postgresql-pgpool-II tracking bugs for this issue: Affects: epel-all [bug 2165113] Affects: fedora-all [bug 2165112] Created postgresql:11/postgresql-pgpool-II tracking bugs for this issue: Affects: epel-all [bug 2165115] Affects: fedora-all [bug 2165114]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.