Primary

Context

PgBouncer Password Expiry Bypass Vulnerability

Vulnerability

Patched

A vulnerability in PgBouncer allows passwords to be used after their expiration date. This issue arises because the 'auth_query' does not consider the 'VALID UNTIL' value of passwords in PostgreSQL. As a result, an attacker can log in with an expired password. This vulnerability affects PgBouncer versions 1.0.0 through 1.24.0.

Impact

Exploitation of this vulnerability allows users to authenticate with expired passwords, potentially leading to unauthorized access.

Remediation

Users can upgrade to PgBouncer version 1.24.1, which addresses this vulnerability by updating the default 'auth_query' to consider password expiration. Those using a custom 'auth_query' should modify it to account for the 'VALID UNTIL' value.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

6.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

6.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PgBouncer Password Expiry Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PgBouncer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating