Improper Authentication Affecting libpgjava package, versions <42.7.7-1


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.02% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIANUNSTABLE-LIBPGJAVA-10343301
  • published12 Jun 2025
  • disclosed11 Jun 2025

Introduced: 11 Jun 2025

NewCVE-2025-49146  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Debian:unstable libpgjava to version 42.7.7-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpgjava package and not the libpgjava package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

CVSS Base Scores

version 3.1