{"id":"CVE-2021-23214","details":"When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.","aliases":["BIT-postgresql-2021-23214"],"modified":"2026-04-16T04:38:53.836629183Z","published":"2022-03-04T16:15:08.293Z","related":["ALSA-2021:5235","ALSA-2021:5236","ALSA-2022:1830","SUSE-SU-2021:3755-1","SUSE-SU-2021:3757-1","SUSE-SU-2021:3758-1","SUSE-SU-2021:3759-1","SUSE-SU-2021:3760-1","SUSE-SU-2021:3761-1","SUSE-SU-2021:3762-1","SUSE-SU-2021:4058-1","SUSE-SU-2022:2893-1","SUSE-SU-2022:2958-1","openSUSE-SU-2021:1584-1","openSUSE-SU-2021:3758-1","openSUSE-SU-2021:3759-1","openSUSE-SU-2021:3762-1","openSUSE-SU-2021:4058-1","openSUSE-SU-2024:11625-1","openSUSE-SU-2024:11626-1","openSUSE-SU-2024:11627-1","openSUSE-SU-2024:11628-1","openSUSE-SU-2024:11629-1","openSUSE-SU-2024:13243-1","openSUSE-SU-2024:14360-1","openSUSE-SU-2025:15580-1"],"references":[{"type":"WEB","url":"https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202211-04"},{"type":"ADVISORY","url":"https://www.postgresql.org/support/security/CVE-2021-23214/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2022666"},{"type":"FIX","url":"https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/postgres/postgres","events":[{"introduced":"0"},{"fixed":"a4116b8d5a4f68803452d8f1aa3f74f302049a90"},{"introduced":"5df0e99bea1c3e5fbffa7fbd0982da88ea149bb6"},{"fixed":"477008d10fb5a024038ed23f0beba901f1f47ae2"},{"introduced":"19f20081df059fef87e14c8e953669bd173dd7f1"},{"fixed":"7f05af399052dab32c28c253fa891dc1e8b4224b"},{"introduced":"ad1f2885b8c82e0c2d56d7974f012cbecce17a17"},{"fixed":"8a94efd9bb71c2d5473836ce4899aedb9b4cfb2e"},{"introduced":"29be9983a64c011eac0b9ee29895cce71e15ea77"},{"fixed":"084346ccee8ead6b387a90cdf6a29036ae9ec77e"},{"introduced":"0"},{"last_affected":"86a4dc1e6f29d1992a2afa3fac1a0b0a6e84568c"},{"introduced":"0"},{"last_affected":"7d1402d0716ec3d48ff827d05276855e4234e42c"},{"introduced":"0"},{"last_affected":"c22b7eccd368754ea96865c046764382ab05db4b"},{"introduced":"0"},{"last_affected":"c22b7eccd368754ea96865c046764382ab05db4b"},{"introduced":"0"},{"last_affected":"c22b7eccd368754ea96865c046764382ab05db4b"},{"fixed":"28e24125541545483093819efae9bca603441951"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.6.24"},{"introduced":"10.0"},{"fixed":"10.19"},{"introduced":"11.0"},{"fixed":"11.14"},{"introduced":"12.0"},{"fixed":"12.9"},{"introduced":"13.0"},{"fixed":"13.5"},{"introduced":"0"},{"last_affected":"14.0"},{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["PG95-1_01","REL6_1","REL6_1_1","REL6_2","REL6_2_1","REL6_3","REL6_3_2","REL6_5","REL7_0","REL7_1","REL7_1_BETA","REL7_1_BETA2","REL7_1_BETA3","REL7_2","REL7_2_BETA1","REL7_2_BETA2","REL7_2_BETA3","REL7_2_BETA4","REL7_2_BETA5","REL7_2_RC1","REL7_2_RC2","REL7_4_BETA1","REL7_4_BETA2","REL7_4_BETA3","REL7_4_BETA4","REL7_4_BETA5","REL7_4_RC1","REL8_0_0","REL8_0_0BETA1","REL8_0_0BETA2","REL8_0_0BETA3","REL8_0_0BETA4","REL8_0_0BETA5","REL8_0_0RC1","REL8_0_0RC2","REL8_0_0RC3","REL8_0_0RC4","REL8_0_0RC5","REL8_1_0","REL8_1_0BETA1","REL8_1_0BETA2","REL8_1_0BETA3","REL8_1_0BETA4","REL8_1_0RC1","REL8_2_0","REL8_2_BETA1","REL8_2_BETA2","REL8_2_BETA3","REL8_2_RC1","REL8_3_0","REL8_3_BETA1","REL8_3_BETA2","REL8_3_BETA3","REL8_3_BETA4","REL8_3_RC1","REL8_3_RC2","REL8_4_0","REL8_4_BETA1","REL8_4_BETA2","REL8_4_RC1","REL8_4_RC2","REL9_0_ALPHA5","REL9_0_BETA1","REL9_0_BETA2","REL9_0_BETA3","REL9_1_ALPHA1","REL9_1_ALPHA2","REL9_1_ALPHA3","REL9_1_ALPHA4","REL9_1_ALPHA5","REL9_1_BETA1","REL9_1_BETA2","REL9_2_BETA1","REL9_2_BETA2","REL9_3_BETA1","REL9_4_BETA1","REL9_5_ALPHA1","REL9_6_0","REL9_6_1","REL9_6_10","REL9_6_11","REL9_6_12","REL9_6_13","REL9_6_14","REL9_6_15","REL9_6_16","REL9_6_17","REL9_6_18","REL9_6_19","REL9_6_2","REL9_6_20","REL9_6_21","REL9_6_22","REL9_6_23","REL9_6_3","REL9_6_4","REL9_6_5","REL9_6_6","REL9_6_7","REL9_6_8","REL9_6_9","REL9_6_BETA1","REL9_6_BETA2","REL9_6_BETA3","REL9_6_BETA4","REL9_6_RC1","REL_10_0","REL_10_1","REL_10_10","REL_10_11","REL_10_12","REL_10_13","REL_10_14","REL_10_15","REL_10_16","REL_10_17","REL_10_18","REL_10_2","REL_10_3","REL_10_4","REL_10_5","REL_10_6","REL_10_7","REL_10_8","REL_10_9","REL_10_BETA1","REL_10_BETA2","REL_10_BETA3","REL_11_0","REL_11_1","REL_11_10","REL_11_11","REL_11_12","REL_11_13","REL_11_2","REL_11_3","REL_11_4","REL_11_5","REL_11_6","REL_11_7","REL_11_8","REL_11_9","REL_11_BETA1","REL_11_BETA2","REL_12_0","REL_12_1","REL_12_2","REL_12_3","REL_12_4","REL_12_5","REL_12_6","REL_12_7","REL_12_8","REL_12_BETA1","REL_12_BETA2","REL_13_0","REL_13_1","REL_13_2","REL_13_3","REL_13_4","REL_13_BETA1","REL_14_0","REL_14_BETA1","REL_14_BETA2","REL_14_BETA3","REL_14_RC1","Release_1_0_2","Release_2_0","Release_2_0_0","release-6-3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23214.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]}],"vanir_signatures":[{"signature_type":"Function","target":{"function":"ProcessStartupPacket","file":"src/backend/postmaster/postmaster.c"},"signature_version":"v1","id":"CVE-2021-23214-105eea8c","digest":{"length":6502,"function_hash":"3811890202093623500044753568135729362"},"deprecated":false,"source":"https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951"},{"deprecated":false,"id":"CVE-2021-23214-55642aa1","signature_version":"v1","target":{"file":"src/backend/postmaster/postmaster.c"},"digest":{"threshold":0.9,"line_hashes":["144879391767781558536346253203041229101","143909272608489929547646403088676984859","165740410277193971204068639552488249268","152409958841785490640372562688845117313","234706297917235548429385406617794107408","11828208314494370596831837586978750783"]},"source":"https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951","signature_type":"Line"},{"signature_type":"Line","target":{"file":"src/backend/libpq/pqcomm.c"},"signature_version":"v1","id":"CVE-2021-23214-a802c310","digest":{"threshold":0.9,"line_hashes":["257279594944366299067624145088475835974","188038483610294623053840785400255306180","333524964208957746553278214859551397688"]},"deprecated":false,"source":"https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951"},{"source":"https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951","target":{"file":"src/include/libpq/libpq.h"},"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["269875017630651410691849837907292701499","126933090860823315927436042326420265172","127112800835486014972045098290616986500","168426345693575339352762023412076698426"]},"id":"CVE-2021-23214-ee44c440","deprecated":false}],"vanir_signatures_modified":"2026-04-11T13:53:57Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}