Vulnerability Description
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Postgresql | Postgresql Jdbc Driver | < 42.2.5 |
| Redhat | Enterprise Linux | 6.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105220Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10936Issue TrackingMitigationThird Party Advisory
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://www.postgresql.org/about/news/1883/Vendor Advisory
- http://www.securityfocus.com/bid/105220Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10936Issue TrackingMitigationThird Party Advisory
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://www.postgresql.org/about/news/1883/Vendor Advisory
FAQ
What is CVE-2018-10936?
CVE-2018-10936 is a vulnerability with a CVSS score of 8.1 (HIGH). A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could ...
How severe is CVE-2018-10936?
CVE-2018-10936 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-10936?
Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql Jdbc Driver, Redhat Enterprise Linux.