CVE-2025-2291
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | PgBouncer | 0 < 1.24.1 | affected |
Weaknesses
- CWE-324: Use of a Key Past its Expiration Date
Workarounds
Configure a custom auth_query containing the new default auth_query introduced in PgBouncer 1.24.1, this auth_query takes expiry into account
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.