Published:2025/05/15  Last Updated:2025/05/15

JVN#06238225
Pgpool-II vulnerable to authentication bypass by primary weakness

Overview

Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability.

Products Affected

The following versions of Pgpool-II are affected:

  • 4.6.0
  • 4.5.0 to 4.5.6
  • 4.4.0 to 4.4.11
  • 4.3.0 to 4.3.14
  • 4.2.0 to 4.2.21
  • All versions of 4.1 series
  • All versions of 4.0 series

This vulnerability only affects systems that meet any of the conditions in patterns below:

Pattern 1: All of the following conditions must be met.
  • Password authentication method is configured in pool_hba.conf
  • allow_clear_text_frontend_auth = off
  • Victim user's password is not set in pool_passwd
  • scram-sha-256 or md5 authentication method is configured in pg_hba.conf

Pattern 2: All of the following conditions must be met.
  • enable_pool_hba = off
  • One of the authentication methods among password, pam, and ldap is configured in pg_hba.conf

Pattern 3: All  of the following conditions must be met.
  • Pgpool-II is running in raw mode (backend_clustering_mode = 'raw')
  • md5 authentication method is configured in pool_hba.conf
  • allow_clear_text_frontend_auth = off
  • Victim user's password is stored as plaintext or AES format in pool_passwd
  • One of the authentication methods among password, pam, and ldap is configured in pg_hba.conf

Description

Pgpool-II provided by PgPool Global Development Group contains the following vulnerability.

  • Authentication bypass by primary weakness (CWE-305)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
    • CVE-2025-46801

Impact

An attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.

Solution

Update the Software
Apply the appropriate updates for the respective versions according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • Pgpool-II 4.6.1
  • Pgpool-II 4.5.7
  • Pgpool-II 4.4.12
  • Pgpool-II 4.3.15
  • Pgopol-II 4.2.22
The developer recommends that users should upgrade the software to the above versions, but as 4.0 and 4.1 series are no longer supported (End-of-Support), no updates/patches will be provided for them.

Vendor Status

Vendor Status Last Update Vendor Notes
pgpool-II Global Development Group Vulnerable 2025/05/15 pgpool-II Global Development Group website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-46801
JVN iPedia JVNDB-2025-000031