Description

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

INFO

Published Date :

2025-06-11T14:32:39.348Z

Last Modified :

2025-06-11T14:46:17.286Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49146 vulnerability.

Vendors Products
Pgjdbc
  • Pgjdbc
Postgresql
  • Postgresql Jdbc Driver
Redhat
  • Apache Camel Spring Boot
  • Cryostat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49146.

URL Resource
https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0 cve-icon cve-icon cve-icon
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-49146 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-49146 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact