CVE-2020-25694
First published: Wed Nov 04 2020(Updated: )
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <0:9.2.24-6.el7_9 | 0:9.2.24-6.el7_9 |
| redhat/libpq | <0:12.5-1.el8_3 | 0:12.5-1.el8_3 |
| redhat/libpq | <0:12.5-1.el8_0 | 0:12.5-1.el8_0 |
| redhat/libpq | <0:12.5-2.el8_1 | 0:12.5-2.el8_1 |
| redhat/libpq | <0:12.5-1.el8_2 | 0:12.5-1.el8_2 |
| redhat/rh-postgresql10-postgresql | <0:10.15-1.el7 | 0:10.15-1.el7 |
| redhat/rh-postgresql12-postgresql | <0:12.5-1.el7 | 0:12.5-1.el7 |
| redhat/postgresql | <13.1 | 13.1 |
| redhat/postgresql | <12.5 | 12.5 |
| redhat/postgresql | <11.10 | 11.10 |
| redhat/postgresql | <10.15 | 10.15 |
| redhat/postgresql | <9.6.20 | 9.6.20 |
| redhat/postgresql | <9.5.24 | 9.5.24 |
| PostgreSQL PostgreSQL | <9.5.24 | |
| PostgreSQL PostgreSQL | >=9.6.0<9.6.20 | |
| PostgreSQL PostgreSQL | >=10.0<10.15 | |
| PostgreSQL PostgreSQL | >=11.0<11.10 | |
| PostgreSQL PostgreSQL | >=12.0<12.5 | |
| PostgreSQL PostgreSQL | >=13.0<13.1 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1894423
- https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html
- https://security.gentoo.org/glsa/202012-07
- https://security.netapp.com/advisory/ntap-20201202-0003/
- https://www.postgresql.org/support/security/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897234
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897231
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897222
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897228
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897225
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897219
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=85c54287af56fe351b53913ea2b81e9d6145f964
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=8e5793ab60bba65ffaa0f2237b39c9580d8972c7
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a45bc8a4f6495072bc48ad40a5aa0304979114f7
- https://access.redhat.com/errata/RHSA-2020:5316
- https://access.redhat.com/errata/RHSA-2020:5317
- https://access.redhat.com/errata/RHSA-2020:5401
- https://access.redhat.com/security/cve/cve-2020-25694
- https://access.redhat.com/errata/RHSA-2020:5567
- https://access.redhat.com/errata/RHSA-2020:5619
- https://access.redhat.com/errata/RHSA-2020:5620
- https://access.redhat.com/errata/RHSA-2020:5638
- https://access.redhat.com/errata/RHSA-2020:5661
- https://access.redhat.com/errata/RHSA-2020:5664
- https://access.redhat.com/errata/RHSA-2021:0057
- https://access.redhat.com/errata/RHSA-2021:0161
- https://access.redhat.com/errata/RHSA-2021:0163
- https://access.redhat.com/errata/RHSA-2021:0164
- https://access.redhat.com/errata/RHSA-2021:0165
- https://access.redhat.com/errata/RHSA-2021:0166
- https://access.redhat.com/errata/RHSA-2021:0167
- https://access.redhat.com/errata/RHSA-2021:1512
- https://www.cve.org/CVERecord?id=CVE-2020-25694 https://nvd.nist.gov/vuln/detail/CVE-2020-25694 https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-25694?
CVE-2020-25694 is a vulnerability found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24.
What is the severity of CVE-2020-25694?
CVE-2020-25694 has a severity score of 8.1, which is considered high.
How does CVE-2020-25694 affect PostgreSQL?
CVE-2020-25694 affects PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24.
How can I fix CVE-2020-25694?
To fix CVE-2020-25694, upgrade to PostgreSQL version 13.1, 12.5, 11.10, 10.15, or 9.6.20.
Where can I find more information about CVE-2020-25694?
You can find more information about CVE-2020-25694 in the Red Hat Bugzilla references: https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897234, https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897231, https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897222.
- collector/redhat-cve
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25694
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.6.0
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0