Zurück zur CVE-Übersicht
CVE-2026-6478
MEDIUM(6.5)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Risk Signal Score16/100 — NIEDRIG
- CVSS 6.5 — Mittel
EPSS-Score
1%
Exploit-Wahrscheinlichkeit (30 Tage)
CVSS Score
6.5
Technische Schwere
Beschreibung
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Referenzen
- https://www.postgresql.org/support/security/CVE-2026-6478/
- https://access.redhat.com/errata/RHSA-2026:21182
- https://access.redhat.com/errata/RHSA-2026:22878
- https://access.redhat.com/errata/RHSA-2026:26181
- https://access.redhat.com/errata/RHSA-2026:26203
- https://access.redhat.com/errata/RHSA-2026:26204
- https://access.redhat.com/errata/RHSA-2026:26524
- https://access.redhat.com/errata/RHSA-2026:26525
- https://access.redhat.com/errata/RHSA-2026:26561
- https://access.redhat.com/errata/RHSA-2026:27718