Pgpool-II Authentication Bypass Vulnerability Allowing Arbitrary User Login

A vulnerability in Pgpool-II that allows authentication bypass, enabling attackers to log in as any user. This issue affects Pgpool-II versions 4.6.0, 4.5.0 through 4.5.6, 4.4.0 through 4.4.11, 4.3.0 through 4.3.14, 4.2.0 through 4.2.21, and all versions in the 4.1 and 4.0 series. The vulnerability arises in systems where specific authentication configurations are met, potentially leading to unauthorized access and manipulation of database information or disruption of database services.

Impact

Exploitation of this vulnerability could result in unauthorized access to the system as an arbitrary user, allowing for reading or modifying database data and possibly disabling the database.

Remediation

Users are advised to upgrade to Pgpool-II versions 4.6.1, 4.5.7, 4.4.12, 4.3.15 or 4.2.22. For versions 4.0 and 4.1, no updates are available as these series are no longer supported.