Pgbouncer
Monthly
PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing any user with access to the administration console to terminate client connections. The vulnerability affects all PgBouncer versions before 1.25.2 and requires prior authentication to the admin console, limiting the real-world risk despite the authorization bypass. CVSS 4.3 reflects low availability impact but highlights a privilege escalation within authenticated contexts.
PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).
Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.
Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection pooler by sending a malformed SCRAM authentication packet that triggers an integer overflow in network packet parsing code. The vulnerability bypasses boundary checks in authentication handling, enabling complete service disruption of database connection pooling. EPSS data not available, no confirmed active exploitation (not in CISA KEV), but the unauthenticated remote attack vector (CVSS AV:N/AC:L/PR:N) presents significant risk for internet-exposed PostgreSQL infrastructure.
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing any user with access to the administration console to terminate client connections. The vulnerability affects all PgBouncer versions before 1.25.2 and requires prior authentication to the admin console, limiting the real-world risk despite the authorization bypass. CVSS 4.3 reflects low availability impact but highlights a privilege escalation within authenticated contexts.
PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).
Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.
Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection pooler by sending a malformed SCRAM authentication packet that triggers an integer overflow in network packet parsing code. The vulnerability bypasses boundary checks in authentication handling, enabling complete service disruption of database connection pooling. EPSS data not available, no confirmed active exploitation (not in CISA KEV), but the unauthenticated remote attack vector (CVSS AV:N/AC:L/PR:N) presents significant risk for internet-exposed PostgreSQL infrastructure.
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.