Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-43767

Improper Certificate Validation

Published: Aug 25, 2022 | Modified: Nov 07, 2023
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-43767
CWEhttps://cwe.mitre.org/data/definitions/295.html

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject false responses to the clients first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Postgresql Postgresql 9.6.0 (including) 9.6.24 (excluding)
Postgresql Postgresql 10.0 (including) 10.19 (excluding)
Postgresql Postgresql 11.0 (including) 11.14 (excluding)
Postgresql Postgresql 12.0 (including) 12.9 (excluding)
Postgresql Postgresql 13.0 (including) 13.5 (excluding)
Postgresql Postgresql 14.0 (including) 14.0 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use