Supply-chain notification
This project depends on jackc/pgx v5.9.2 which is vulnerable to CWE-306 (Missing Authentication Method Restriction).
Vulnerability: A malicious PostgreSQL server can downgrade authentication to cleartext password by sending AuthenticationCleartextPassword, which pgx < v5.10.0 accepts unconditionally.
Fix: pgx v5.10.0 adds require_auth config option restricting accepted auth methods (commit 1a976f7b).
Remediation: Bump github.com/jackc/pgx/v5 to v5.10.0+
Found by bounty-hunter v6.0
Supply-chain notification
This project depends on jackc/pgx v5.9.2 which is vulnerable to CWE-306 (Missing Authentication Method Restriction).
Vulnerability: A malicious PostgreSQL server can downgrade authentication to cleartext password by sending AuthenticationCleartextPassword, which pgx < v5.10.0 accepts unconditionally.
Fix: pgx v5.10.0 adds
require_authconfig option restricting accepted auth methods (commit 1a976f7b).Remediation: Bump
github.com/jackc/pgx/v5to v5.10.0+Found by bounty-hunter v6.0