CVE-2021-23214: 
PostgreSQL vulnerability analysis and mitigation

CVE-2021-23214 is a security vulnerability discovered in PostgreSQL that affects multiple versions of the database management system. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. The vulnerability was disclosed on November 11, 2021, affecting PostgreSQL versions 9.6 through 14 (PostgreSQL Security).

The vulnerability occurs when the server collects data from the client socket during the initial connection. When SSL or GSS encryption is requested during startup, any additional data received with the initial request message remained in the buffer and would be treated as already-decrypted data once the encryption handshake completed. This allowed a man-in-the-middle attacker to inject cleartext data into the start of an encryption-protected database session. The CVSS 3.0 score for this vulnerability is 8.1 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (PostgreSQL Security).

The vulnerability could allow attackers to send faked SQL commands to the server, particularly effective against servers relying on SSL certificate authentication. This could potentially lead to unauthorized data access, manipulation, or other malicious activities in the database system (CVE Mitre).

The vulnerability has been fixed in PostgreSQL versions 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24. The fix implements a protocol-violation error if the internal buffer is not empty after the encryption handshake. Organizations are strongly advised to upgrade to these patched versions (PostgreSQL Security).