The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade org.postgresql:postgresql to version 42.7.12 or higher.
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the ScramAuthenticator class, which fails open by confirming only that the server advertised a -PLUS mechanism while neither rejecting an empty channel binding nor verifying that the negotiated mechanism actually uses channel binding. An attacker intercepting the TLS connection can strip the MitM protection that channelBinding=require is meant to guarantee, downgrading authentication from SCRAM-SHA-256-PLUS to plain SCRAM-SHA-256, by presenting a certificate with a signature algorithm such as Ed25519, Ed448, or a post-quantum scheme that makes the bundled scram-client return an empty binding instead of failing. This affects only connections that explicitly set channelBinding=require, since the default prefer policy documents fallback as expected behavior.
This vulnerability can be avoided by configuring the connection with sslmode=verify-full and a restrictive truststore, which provides equivalent MitM protection independent of channel binding.