Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcycmotMzZxYy00N2c3
Pgsync Contains Cleartext Transmission of Sensitive Information
pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first
and --schema-only
options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcycmotMzZxYy00N2c3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 9 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-72rj-36qc-47g7, CVE-2021-31671
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-31671
- https://github.com/ankane/pgsync/issues/121
- https://github.com/ankane/pgsync/commit/05cd18f5fc09407e4b544f2c12f819cabc50c40e
- https://github.com/ankane/pgsync/blob/master/CHANGELOG.md#067-2021-04-26
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pgsync/CVE-2021-31671.yml
- https://github.com/advisories/GHSA-72rj-36qc-47g7
Blast Radius: 20.7
Affected Packages
rubygems:pgsync
Dependent packages: 0Dependent repositories: 575
Downloads: 926,372 total
Affected Version Ranges: < 0.6.7
Fixed in: 0.6.7
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6
All unaffected versions: 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4