| Description |
A security issue has been found in PostgreSQL before 12.5. Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter. |