Bug 2372307 (CVE-2025-49146) - CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding
Summary: CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding
Keywords:
Status: NEW
Alias: CVE-2025-49146
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-11 15:01 UTC by OSIDB Bzimport
Modified: 2025-06-12 12:49 UTC (History)
102 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-11 15:01:57 UTC 
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
Note You need to log in before you can comment on or make changes to this bug.