Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for pgpool2. CVE-2023-22332[0]: | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), | All versions of 3.7 series, All versions of 3.6 series, All versions | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 | series. A specific database user's authentication information may be | obtained by another database user. As a result, the information stored | in the database may be altered and/or database may be suspended by a | remote attacker who successfully logged in the product with the | obtained credentials. Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : (I have no idea how common that is, feel free to downgrade as necessary) ---------------------------------------------- This release contains a security fix. If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332) • Version 3.3 or later • use_watchdog = on • wd_lifecheck_method = 'query' • A plain text password is set to wd_lifecheck_password ---------------------------------------------- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22332 https://www.cve.org/CVERecord?id=CVE-2023-22332 Please adjust the affected versions in the BTS as needed.