/
CVE-2021-31671.yml
28 lines (24 loc) · 1.01 KB
/
CVE-2021-31671.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
gem: pgsync
cve: 2021-31671
ghsa: 72rj-36qc-47g7
url: https://github.com/ankane/pgsync/issues/121
title: Connection security vulnerability with schema sync
date: 2021-04-26
description: |
pgsync drops connection parameters when syncing the schema with the
--schema-first and --schema-only options. Some of these parameters may
affect security. For instance, if sslmode is dropped, the connection
may not use SSL. The first connection parameter is not affected.
pgsync drops connection parameters when syncing the schema with the
`--schema-first` and `--schema-only` options. Some of these parameters
may affect security. For instance, if `sslmode` is dropped, the
connection may not use SSL. The first connection parameter is not affected.
An example where `sslmode` is dropped (`connect_timeout` is not affected):
```yaml
from: postgres://user:pass@host/dbname?connect_timeout=10&sslmode=require
```
This applies to both the `to` and `from` connections.
cvss_v3: 7.5
patched_versions:
- ">= 0.6.7"