Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3327

Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 [GHI#40553]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      dependencies

      Describe the bug

      A security vulnerability has been detected by Trivy in the project's dependencies.

      Package: org.postgresql:postgresql

      Installed Version: 42.7.5

      Vulnerable Versions: >= 42.7.4, < 42.7.7

      Fixed Version: 42.7.7

      CVE ID: CVE-2025-49146

      Severity: HIGH

      Description

      The PostgreSQL JDBC driver (pgjdbc), in versions 42.7.4 through 42.7.6, contains a high-severity vulnerability.

      When the driver is configured with channelBinding=required (the default is prefer), it incorrectly permits connections using authentication methods that do not support channel binding (e.g., password, MD5, GSS, SSPI). This flaw could allow a Man-in-the-Middle (MITM) attacker to intercept and compromise connections that are intended to be protected by channel binding.

      Action Required
      To mitigate this vulnerability, the org.postgresql:postgresql dependency should be upgraded to version 42.7.7 or later.

      <!-- Example for Maven -->
<dependency>
  <groupId>org.postgresql</groupId>
  <artifactId>postgresql</artifactId>
  <version>42.7.7</version>
</dependency>

      Version

      26.2.5

      Regression

      [ ] The issue is a regression

      Expected behavior

      No CVEs reported for PostgreSQL.

      Actual behavior

      CVEs reported for PostgreSQL.

      How to Reproduce?

      Check scanner alerts.

      Anything else?

      EDIT: Will be solved by the https://github.com/keycloak/keycloak/issues/40591

      Remediation

      (edited by @mabartos)

      Do not use channelBinding=required in your db-url-properties, or db-url for PostgreSQL JDBC driver URL. The default value is channelBinding=preferred, so Keycloak is not affected by default.

      If you're already using the channelBinding=required, it is recommended to use sslMode=verify-full (and ensure TLS) as using authentication on a non-secure transport is not recommended (this is where the MITM attack comes from). Note that this works around the issue (and lets you use "required" or "preferred") - (recommended by @cescoffier)

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Cloud Native
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: