CVE-2018-10936: Improper Validation of Certificate with Host Mismatch

October 19, 2018 (updated January 8, 2021)

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

References

github.com/advisories/GHSA-568q-9fw5-28wf
nvd.nist.gov/vuln/detail/CVE-2018-10936

Code Behaviors & Features

Detect and mitigate CVE-2018-10936 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →