pgsync drops connection parameters when syncing the schema with the --schema-first and --schema-only options. Some of these parameters may affect security. For instance, if sslmode is dropped, the connection may not use SSL. The first connection parameter is not affected.
Here's an example where sslmode is dropped (connect_timeout is not affected):
CVE Identifier: CVE-2021-31671
Versions Affected: 0.6.6 and below
Fixed Versions: 0.6.7
Impact
pgsync drops connection parameters when syncing the schema with the
--schema-firstand--schema-onlyoptions. Some of these parameters may affect security. For instance, ifsslmodeis dropped, the connection may not use SSL. The first connection parameter is not affected.Here's an example where
sslmodeis dropped (connect_timeoutis not affected):This applies to both the
toandfromconnections.All users running an affected release should upgrade immediately.
Credits
Thanks to Dmitriy Gunchenko for reporting this.
The text was updated successfully, but these errors were encountered: