30th September 2021: PostgreSQL 14 Released!

CVE-2020-25694

Reconnection can downgrade connection security settings

Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.

Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.

This also fixes how the \connect command of psql reuses connection parameters, i.e. all non-overridden parameters from a previous connection string now re-used.

The PostgreSQL project thanks Peter Eisentraut for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
13 13.1 2020-11-12
12 12.5 2020-11-12
11 11.10 2020-11-12
10 10.15 2020-11-12
9.6 9.6.20 2020-11-12
9.5 9.5.24 2020-11-12

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.1
Component client
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.

For reporting non-security bugs, please see the Report a Bug page.