Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU2OHEtOWZ3NS0yOHdm
Moderate severity vulnerability that affects org.postgresql:pgjdbc-aggregate
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
Permalink: https://github.com/advisories/GHSA-568q-9fw5-28wfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU2OHEtOWZ3NS0yOHdm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-568q-9fw5-28wf, CVE-2018-10936
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-10936
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10936
- https://github.com/advisories/GHSA-568q-9fw5-28wf
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://www.postgresql.org/about/news/1883/
- http://www.securityfocus.com/bid/105220
Affected Packages
maven:org.postgresql:pgjdbc-aggregate
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: < 42.2.5
Fixed in: 42.2.5
All affected versions: 9.4.1207, 9.4.1208, 9.4.1209, 9.4.1210, 9.4.1211, 9.4.1212, 42.0.0, 42.1.0, 42.1.1, 42.1.2, 42.1.3, 42.1.4, 42.2.0, 42.2.1, 42.2.2, 42.2.3, 42.2.4
All unaffected versions: 42.2.5, 42.2.6, 42.2.7, 42.2.8, 42.2.9, 42.2.10, 42.2.11, 42.2.12