Endpoint Vulnerability

PostgreSQL: libpq ignores PGREQUIRESSL environment variable

Description

It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Affected Products

PostgreSQL

References

CVE-2017-7485,