- Description
- Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
- Source
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- CWE-324
- Hype score
- Not currently trending
PostgreSQL: PgBouncer 1.24.1 released - Fixes CVE-2025-2291 https://t.co/kSxjPWi6i9 #PostgreSQL #devtalk
@dev_talk
22 Apr 2025
20 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
News: PgBouncer 1.24.1 released - Fixes CVE-2025-2291 https://t.co/lQJXCRggjh
@PostgreSQL
21 Apr 2025
1545 Impressions
4 Retweets
19 Likes
4 Bookmarks
0 Replies
0 Quotes
๐จ CVE-2025-2291 ๐ด HIGH (8.1) ๐ข Unknown Vendor - PgBouncer ๐๏ธ 0 ๐ https://t.co/YS4ZZzwQ8l #CyberCron #VulnAlert #InfoSec https://t.co/d2lqq1c4Uf
@cybercronai
17 Apr 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PgBouncer 1.24.1 is out. It fixes CVE-2025-2291, which allowed expired passwords to still be accepted. It also fixes a few issues introduced in 1.24.0. https://t.co/wjAf4EN8hD
@JelteF
16 Apr 2025
556 Impressions
5 Retweets
21 Likes
1 Bookmark
0 Replies
0 Quotes