Skip to content

Dependency: pgx v5.9.2 vulnerable to auth downgrade (CWE-306, fix in v5.10.0) #4573

Description

@canolgun

Supply-chain notification

This project depends on jackc/pgx v5.9.2 which is vulnerable to CWE-306 (Missing Authentication Method Restriction).

Vulnerability: A malicious PostgreSQL server can downgrade authentication to cleartext password by sending AuthenticationCleartextPassword, which pgx < v5.10.0 accepts unconditionally.

Fix: pgx v5.10.0 adds require_auth config option restricting accepted auth methods (commit 1a976f7b).

Remediation: Bump github.com/jackc/pgx/v5 to v5.10.0+

Found by bounty-hunter v6.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions