libpq processes unencrypted bytes from man-in-the-middle

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
14 14.1 2021-11-11
13 13.5 2021-11-11
12 12.9 2021-11-11
11 11.14 2021-11-11
10 10.19 2021-11-11
9.6 9.6.24 2021-11-11

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 3.7
Component client
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.