Search for packages
| purl | pkg:maven/org.postgresql/postgresql@42.7.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-su7j-n4f9-y3a2
Aliases: CVE-2025-49146 GHSA-hq9p-pm7w-8p54 |
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration ### Impact When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. ### Patches TBD ### Workarounds Configure `sslMode=verify-full` to prevent MITM attacks. ### References * https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256 * https://datatracker.ietf.org/doc/html/rfc7677 * https://datatracker.ietf.org/doc/html/rfc5802 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T23:30:52.598497+00:00 | GitLab Importer | Affected by | VCID-su7j-n4f9-y3a2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.postgresql/postgresql/CVE-2025-49146.yml | 38.4.0 |
| 2026-04-12T00:50:37.184076+00:00 | GitLab Importer | Affected by | VCID-su7j-n4f9-y3a2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.postgresql/postgresql/CVE-2025-49146.yml | 38.3.0 |
| 2026-04-03T00:58:41.139996+00:00 | GitLab Importer | Affected by | VCID-su7j-n4f9-y3a2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.postgresql/postgresql/CVE-2025-49146.yml | 38.1.0 |