2372307 – (CVE-2025-49146) CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding

Bug 2372307 (CVE-2025-49146) - CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding

Summary: CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding

Keywords:
Status:	NEW
Alias:	CVE-2025-49146
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-11 15:01 UTC by OSIDB Bzimport
Modified:	2025-09-22 23:39 UTC (History)
CC List:	102 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:10323	None	None	None	2025-07-03 12:46:32 UTC
Red Hat Product Errata	RHSA-2025:13274	None	None	None	2025-08-06 16:17:53 UTC
Red Hat Product Errata	RHSA-2025:16409	None	None	None	2025-09-22 23:39:47 UTC
Red Hat Product Errata	RHSA-2025:9697	None	None	None	2025-06-25 19:47:55 UTC

Description OSIDB Bzimport 2025-06-11 15:01:57 UTC

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Comment 2 errata-xmlrpc 2025-06-25 19:47:47 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7

Via RHSA-2025:9697 https://access.redhat.com/errata/RHSA-2025:9697

Comment 3 errata-xmlrpc 2025-07-03 12:46:25 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:10323 https://access.redhat.com/errata/RHSA-2025:10323

Comment 4 errata-xmlrpc 2025-08-06 16:17:46 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.1

Via RHSA-2025:13274 https://access.redhat.com/errata/RHSA-2025:13274

Comment 6 errata-xmlrpc 2025-09-22 23:39:41 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.5

Via RHSA-2025:16409 https://access.redhat.com/errata/RHSA-2025:16409

Note You need to log in before you can comment on or make changes to this bug.

aazores
anstephe
anthomas
aprice
aschwart
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
caswilli
ccranfor
cdewolf
clement.escoffier
cmah
cmiranda
dandread
darran.lofthouse
dbruscin
dhanak
dkreling
dnakabaa
dosoudil
drosa
eaguilar
ebaron
ehelms
eric.wittmann
fjuma
fmariani
ggainey
gmalinko
gsmet
ibek
istudens
ivassile
iweiss
janstey
jmartisk
jolong
jpechane
jpoth
jrokos
jsamir
juwatts
kaycoth
kgaikwad
kholdawa
kvanderr
kverlaen
lcouzens
lgao
lthon
manderse
mhulan
mnovotny
mosmerov
mposolda
mskarbek
msochure
msvehla
nipatil
nmoumoul
nwallace
oezr
olubyans
osousa
pantinor
pbizzarr
pcongius
pcreech
pdelbell
pesilva
pgallagh
pjindal
pmackay
probinso
rchan
rguimara
rkieley
rkubis
rruss
rstancel
rstepani
rsvoboda
sausingh
sbiarozk
sdawley
smaestri
smallamp
ssilvert
sthirugn
sthorger
tcunning
tom.jenkinson
tqvarnst
vkrizan
vmuzikar
yfang