Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
12.0-112.1-112.1-2build112.10-0ubuntu0.20.04.112.11-0ubuntu0.20.04.112.12-0ubuntu0.20.04.112.13-0ubuntu0.20.04.112.14-0ubuntu0.20.04.112.15-0ubuntu0.20.04.112.16-0ubuntu0.20.04.1+16 more14.23-0ubuntu0.22.04.116.14-0ubuntu0.24.04.117.10-0ubuntu0.25.10.118.4-0ubuntu0.26.04.19.3.1-19.3.10-0ubuntu0.14.049.3.11-0ubuntu0.14.049.3.12-0ubuntu0.14.049.3.13-0ubuntu0.14.049.3.14-0ubuntu0.14.049.3.15-0ubuntu0.14.049.3.16-0ubuntu0.14.049.3.17-0ubuntu0.14.049.3.18-0ubuntu0.14.04.1+19 more9.5.0-19.5.0-29.5.0-39.5.1-19.5.10-0ubuntu0.16.049.5.11-0ubuntu0.16.049.5.12-0ubuntu0.16.049.5.13-0ubuntu0.16.049.5.14-0ubuntu0.16.049.5.16-0ubuntu0.16.04.1+24 more10.1-110.1-210.10-0ubuntu0.18.04.110.12-0ubuntu0.18.04.110.14-0ubuntu0.18.04.110.15-0ubuntu0.18.04.110.16-0ubuntu0.18.04.110.17-0ubuntu0.18.04.110.18-0ubuntu0.18.04.110.19-0ubuntu0.18.04.1+16 moreExploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:LI:LA:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N