PostgresNIO processes unencrypted bytes from man-in-the-middle

CVE-2023-31136 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption.

The remaining text in this section is quoted verbatim from PostgreSQL's CVE-2021-23222 advisory:

> If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).

Patches

The vulnerability is addressed in PostgresNIO versions starting from 1.14.2 via 2df54bc94607f44584ae6ffa74e3cd754fffafc7, which required additional support from SwiftNIO.

Workarounds

There are no known workarounds for unpatched users.

Additional Credits

Special thanks to PostgreSQL's Tom Lane <[email protected]> for reporting this issue!

References

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2023-05-10 19:20:16 UTC
Updated
2023-11-06 05:05:52 UTC
GitHub reviewed
2023-05-10 19:20:16 UTC
NVD published
2023-05-09 14:15:13 UTC

EPSS Score

Score Percentile
0.20% 42.02%

CVSS Scores

Base score Version Severity Vector
3.7 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-9cfh-vx93-84vv ↗
CVE CVE-2023-31136 ↗

CWEs

CWE id Name
CWE-522 Insufficiently Protected Credentials

Credits

  • fabianfett (remediation_developer)
  • gwynne (coordinator)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
swift github.com/vapor/postgres-nio < 1.14.2 1.14.2

References

cvelogic Threat Intelligence