CVE-2020-25694 log

Severity Low
Remote Yes
Type Silent downgrade
A security issue has been found in PostgreSQL before 12.5. Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.

Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.
Group Package Affected Fixed Severity Status Ticket
AVG-1276 postgresql 12.4-2 12.5-1 High Fixed
Date Advisory Group Package Severity Type
17 Nov 2020 ASA-202011-14 AVG-1276 postgresql High multiple issues