oss-sec mailing list archives

CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user

From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 4 Sep 2015 20:08:11 +0200

Hi

Could you please assign a CVE for the following PgBouncer issue?

From upstream announce:


https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/

New auth_user functionality introduced in 1.6 allows login as
auth_user when client presents unknown username. It’s quite likely
auth_user is superuser. Affects only setups that have enabled
auth_user in their config.


References:
 - https://github.com/pgbouncer/pgbouncer/issues/69
 - http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251

Upstream fix:
https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38

Regards,
Salvatore

Current thread:

CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user Salvatore Bonaccorso (Sep 04)
- Re: CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user cve-assign (Sep 05)