Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-12819 (GCVE-0-2025-12819)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:00 – Updated: 2025-12-27 16:04
VLAI
EPSS
Title
Untrusted search path in auth_query connection in PgBouncer
Summary
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
Credits
Thanks to Jason Tsang of Snowflake Inc. for finding this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:11:14.559731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:11:59.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-27T16:04:17.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PgBouncer",
"vendor": "n/a",
"versions": [
{
"lessThan": "1.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "track_extra_parameters includes search_path (non-default configuration) AND auth_user is set to a non-empty string (non-default configuration) AND auth_query is configured without fully-qualified object names (default configuration, the \u003c operator is not schema qualified)"
},
{
"lang": "en",
"value": "track_extra_parameters includes another security sensitive parameter (non-default configuration and extremely unlikely) and auth_user is set to a non-empty string (non-default configuration)"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Jason Tsang of Snowflake Inc. for finding this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T22:38:58.388Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-125x"
}
],
"title": "Untrusted search path in auth_query connection in PgBouncer",
"workarounds": [
{
"lang": "en",
"value": "Remove search_path and any other security sensitive parameters from track_extra_parameters"
},
{
"lang": "en",
"value": "ensure auth_query uses fully-qualified object and operator names (e.g., pg_catalog.current_user instead of current_user)"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2025-12819",
"datePublished": "2025-12-03T19:00:09.063Z",
"dateReserved": "2025-11-06T17:22:32.839Z",
"dateUpdated": "2025-12-27T16:04:17.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-12819",
"date": "2026-06-19",
"epss": "0.00315",
"percentile": "0.23019"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-12819\",\"sourceIdentifier\":\"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\",\"published\":\"2025-12-03T19:15:55.227\",\"lastModified\":\"2025-12-27T16:15:51.840\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-426\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.1\",\"matchCriteriaId\":\"CE71D84A-CE1D-4AE3-9618-49027227EEBE\"}]}]}],\"references\":[{\"url\":\"https://www.pgbouncer.org/changelog.html#pgbouncer-125x\",\"source\":\"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-12-27T16:04:17.588Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-12819\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-03T19:11:14.559731Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-03T19:11:33.360Z\"}}], \"cna\": {\"title\": \"Untrusted search path in auth_query connection in PgBouncer\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thanks to Jason Tsang of Snowflake Inc. for finding this issue.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"PgBouncer\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.pgbouncer.org/changelog.html#pgbouncer-125x\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Remove search_path and any other security sensitive parameters from track_extra_parameters\"}, {\"lang\": \"en\", \"value\": \"ensure auth_query uses fully-qualified object and operator names (e.g., pg_catalog.current_user instead of current_user)\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-426\", \"description\": \"Untrusted Search Path\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"track_extra_parameters includes search_path (non-default configuration) AND auth_user is set to a non-empty string (non-default configuration) AND auth_query is configured without fully-qualified object names (default configuration, the \u003c operator is not schema qualified)\"}, {\"lang\": \"en\", \"value\": \"track_extra_parameters includes another security sensitive parameter (non-default configuration and extremely unlikely) and auth_user is set to a non-empty string (non-default configuration)\"}], \"providerMetadata\": {\"orgId\": \"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\", \"shortName\": \"PostgreSQL\", \"dateUpdated\": \"2025-12-03T22:38:58.388Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-12819\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-27T16:04:17.588Z\", \"dateReserved\": \"2025-11-06T17:22:32.839Z\", \"assignerOrgId\": \"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\", \"datePublished\": \"2025-12-03T19:00:09.063Z\", \"assignerShortName\": \"PostgreSQL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2025-AVI-1061
Vulnerability from certfr_avis - Published: 2025-12-04 - Updated: 2025-12-04
Une vulnérabilité a été découverte dans PostgreSQL PgBouncer. Elle permet à un attaquant de provoquer une injection SQL (SQLi).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| PostgreSQL | PgBouncer | PgBouncer versions antérieures à 1.25.1 |
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "PgBouncer versions ant\u00e9rieures \u00e0 1.25.1 ",
"product": {
"name": "PgBouncer",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-12819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12819"
}
],
"initial_release_date": "2025-12-04T00:00:00",
"last_revision_date": "2025-12-04T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1061",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection SQL (SQLi)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans PostgreSQL PgBouncer. Elle permet \u00e0 un attaquant de provoquer une injection SQL (SQLi).",
"title": "Vuln\u00e9rabilit\u00e9 dans PostgreSQL PgBouncer",
"vendor_advisories": [
{
"published_at": "2025-12-03",
"title": "Bulletin de s\u00e9curit\u00e9 PostgreSQL pgbouncer-1251-released-fixing-a-bunch-of-bugs-before-christmas-including-cve-2025-12819-3189",
"url": "https://www.postgresql.org/about/news/pgbouncer-1251-released-fixing-a-bunch-of-bugs-before-christmas-including-cve-2025-12819-3189/"
}
]
}
CERTFR-2025-AVI-1078
Vulnerability from certfr_avis - Published: 2025-12-08 - Updated: 2025-12-08
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | cbl2 msft-golang 1.24.9-1 | ||
| Microsoft | N/A | cbl2 golang 1.22.7-5 | ||
| Microsoft | N/A | azl3 golang 1.23.12-1 | ||
| Microsoft | N/A | cbl2 python3 3.9.19-16 | ||
| Microsoft | N/A | cbl2 python-tensorboard 2.11.0-3 | ||
| Microsoft | N/A | cbl2 qt5-qtbase 5.12.11-18 | ||
| Microsoft | N/A | cbl2 reaper 3.1.1-21 | ||
| Microsoft | N/A | cbl2 python3 3.9.19-17 | ||
| Microsoft | N/A | azl3 python-tensorboard 2.16.2-6 | ||
| Microsoft | N/A | azl3 kernel 6.6.112.1-2 | ||
| Microsoft | N/A | cbl2 vim 9.1.1616-1 | ||
| Microsoft | N/A | cbl2 kernel 5.15.186.1-1 | ||
| Microsoft | N/A | azl3 tensorflow 2.16.1-9 | ||
| Microsoft | N/A | cbl2 gcc 11.2.0-8 | ||
| Microsoft | N/A | azl3 vim 9.1.1616-1 | ||
| Microsoft | N/A | azl3 golang 1.25.3-1 | ||
| Microsoft | N/A | azl3 pgbouncer 1.24.1-1 | ||
| Microsoft | N/A | cbl2 tensorflow 2.11.1-2 | ||
| Microsoft | N/A | azl3 libpng 1.6.40-1 versions antérieures à 1.6.52-1 | ||
| Microsoft | N/A | azl3 gcc 13.2.0-7 | ||
| Microsoft | N/A | azl3 python3 3.12.9-5 | ||
| Microsoft | N/A | cbl2 golang 1.18.8-10 | ||
| Microsoft | N/A | cbl2 reaper 3.1.1-19 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "cbl2 msft-golang 1.24.9-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 golang 1.22.7-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.23.12-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python3 3.9.19-16",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python-tensorboard 2.11.0-3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 qt5-qtbase 5.12.11-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 reaper 3.1.1-21",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python3 3.9.19-17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-tensorboard 2.16.2-6",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.112.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 vim 9.1.1616-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 kernel 5.15.186.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 tensorflow 2.16.1-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 gcc 11.2.0-8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 vim 9.1.1616-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.25.3-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 pgbouncer 1.24.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 tensorflow 2.11.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libpng 1.6.40-1 versions ant\u00e9rieures \u00e0 1.6.52-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 gcc 13.2.0-7",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python3 3.12.9-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 golang 1.18.8-10",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 reaper 3.1.1-19",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-12084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12084"
},
{
"name": "CVE-2023-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53209"
},
{
"name": "CVE-2025-40251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40251"
},
{
"name": "CVE-2025-13837",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13837"
},
{
"name": "CVE-2022-50304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50304"
},
{
"name": "CVE-2025-40245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40245"
},
{
"name": "CVE-2025-40233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40233"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2025-61727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61727"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-40218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40218"
},
{
"name": "CVE-2025-40220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40220"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-13836",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13836"
},
{
"name": "CVE-2025-66293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66293"
},
{
"name": "CVE-2025-40250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40250"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-66476",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66476"
},
{
"name": "CVE-2022-50303",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50303"
},
{
"name": "CVE-2025-40243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40243"
},
{
"name": "CVE-2025-40266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40266"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2025-12385",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12385"
},
{
"name": "CVE-2023-53231",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53231"
},
{
"name": "CVE-2025-40247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40247"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2025-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40217"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-12819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12819"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-34297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-34297"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-40244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40244"
},
{
"name": "CVE-2025-40223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40223"
},
{
"name": "CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
}
],
"initial_release_date": "2025-12-08T00:00:00",
"last_revision_date": "2025-12-08T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1078",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40254",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40254"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40257",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40257"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40245",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40245"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40258",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40258"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-50304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-50304"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40219",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40219"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40233",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40233"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40244",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40244"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-53209",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-53209"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61729",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61729"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40262",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40262"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40253",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40253"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40223",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40223"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40217",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40217"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-6485",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-6485"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40252",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40252"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40250",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40250"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40261",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40261"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40215",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40215"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40264",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40264"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40263",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40263"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12084",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12084"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12385",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12385"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12819",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12819"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61727",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61727"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40242",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40242"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40259",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40259"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-50303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-50303"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40243",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40243"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40251",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40251"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40247",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40247"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40220",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40220"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-66476",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66476"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40240",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40240"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40248",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40248"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-13836",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13836"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-66293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66293"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-53231",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-53231"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40218",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40218"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-13837",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13837"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40266",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40266"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-34297",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-34297"
}
]
}
CERTFR-2025-AVI-1061
Vulnerability from certfr_avis - Published: 2025-12-04 - Updated: 2025-12-04
Une vulnérabilité a été découverte dans PostgreSQL PgBouncer. Elle permet à un attaquant de provoquer une injection SQL (SQLi).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| PostgreSQL | PgBouncer | PgBouncer versions antérieures à 1.25.1 |
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "PgBouncer versions ant\u00e9rieures \u00e0 1.25.1 ",
"product": {
"name": "PgBouncer",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-12819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12819"
}
],
"initial_release_date": "2025-12-04T00:00:00",
"last_revision_date": "2025-12-04T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1061",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection SQL (SQLi)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans PostgreSQL PgBouncer. Elle permet \u00e0 un attaquant de provoquer une injection SQL (SQLi).",
"title": "Vuln\u00e9rabilit\u00e9 dans PostgreSQL PgBouncer",
"vendor_advisories": [
{
"published_at": "2025-12-03",
"title": "Bulletin de s\u00e9curit\u00e9 PostgreSQL pgbouncer-1251-released-fixing-a-bunch-of-bugs-before-christmas-including-cve-2025-12819-3189",
"url": "https://www.postgresql.org/about/news/pgbouncer-1251-released-fixing-a-bunch-of-bugs-before-christmas-including-cve-2025-12819-3189/"
}
]
}
CERTFR-2025-AVI-1078
Vulnerability from certfr_avis - Published: 2025-12-08 - Updated: 2025-12-08
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | cbl2 msft-golang 1.24.9-1 | ||
| Microsoft | N/A | cbl2 golang 1.22.7-5 | ||
| Microsoft | N/A | azl3 golang 1.23.12-1 | ||
| Microsoft | N/A | cbl2 python3 3.9.19-16 | ||
| Microsoft | N/A | cbl2 python-tensorboard 2.11.0-3 | ||
| Microsoft | N/A | cbl2 qt5-qtbase 5.12.11-18 | ||
| Microsoft | N/A | cbl2 reaper 3.1.1-21 | ||
| Microsoft | N/A | cbl2 python3 3.9.19-17 | ||
| Microsoft | N/A | azl3 python-tensorboard 2.16.2-6 | ||
| Microsoft | N/A | azl3 kernel 6.6.112.1-2 | ||
| Microsoft | N/A | cbl2 vim 9.1.1616-1 | ||
| Microsoft | N/A | cbl2 kernel 5.15.186.1-1 | ||
| Microsoft | N/A | azl3 tensorflow 2.16.1-9 | ||
| Microsoft | N/A | cbl2 gcc 11.2.0-8 | ||
| Microsoft | N/A | azl3 vim 9.1.1616-1 | ||
| Microsoft | N/A | azl3 golang 1.25.3-1 | ||
| Microsoft | N/A | azl3 pgbouncer 1.24.1-1 | ||
| Microsoft | N/A | cbl2 tensorflow 2.11.1-2 | ||
| Microsoft | N/A | azl3 libpng 1.6.40-1 versions antérieures à 1.6.52-1 | ||
| Microsoft | N/A | azl3 gcc 13.2.0-7 | ||
| Microsoft | N/A | azl3 python3 3.12.9-5 | ||
| Microsoft | N/A | cbl2 golang 1.18.8-10 | ||
| Microsoft | N/A | cbl2 reaper 3.1.1-19 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "cbl2 msft-golang 1.24.9-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 golang 1.22.7-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.23.12-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python3 3.9.19-16",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python-tensorboard 2.11.0-3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 qt5-qtbase 5.12.11-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 reaper 3.1.1-21",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 python3 3.9.19-17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-tensorboard 2.16.2-6",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.112.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 vim 9.1.1616-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 kernel 5.15.186.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 tensorflow 2.16.1-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 gcc 11.2.0-8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 vim 9.1.1616-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.25.3-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 pgbouncer 1.24.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 tensorflow 2.11.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libpng 1.6.40-1 versions ant\u00e9rieures \u00e0 1.6.52-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 gcc 13.2.0-7",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python3 3.12.9-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 golang 1.18.8-10",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 reaper 3.1.1-19",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-12084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12084"
},
{
"name": "CVE-2023-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53209"
},
{
"name": "CVE-2025-40251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40251"
},
{
"name": "CVE-2025-13837",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13837"
},
{
"name": "CVE-2022-50304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50304"
},
{
"name": "CVE-2025-40245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40245"
},
{
"name": "CVE-2025-40233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40233"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2025-61727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61727"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-40218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40218"
},
{
"name": "CVE-2025-40220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40220"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-13836",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13836"
},
{
"name": "CVE-2025-66293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66293"
},
{
"name": "CVE-2025-40250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40250"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-66476",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66476"
},
{
"name": "CVE-2022-50303",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50303"
},
{
"name": "CVE-2025-40243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40243"
},
{
"name": "CVE-2025-40266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40266"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2025-12385",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12385"
},
{
"name": "CVE-2023-53231",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53231"
},
{
"name": "CVE-2025-40247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40247"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2025-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40217"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-12819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12819"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-34297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-34297"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-40244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40244"
},
{
"name": "CVE-2025-40223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40223"
},
{
"name": "CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
}
],
"initial_release_date": "2025-12-08T00:00:00",
"last_revision_date": "2025-12-08T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1078",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40254",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40254"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40257",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40257"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40245",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40245"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40258",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40258"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-50304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-50304"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40219",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40219"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40233",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40233"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40244",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40244"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-53209",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-53209"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61729",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61729"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40262",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40262"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40253",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40253"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40223",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40223"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40217",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40217"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-6485",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-6485"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40252",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40252"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40250",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40250"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40261",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40261"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40215",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40215"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40264",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40264"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40263",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40263"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12084",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12084"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12385",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12385"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-12819",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-12819"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61727",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61727"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40242",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40242"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40259",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40259"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-50303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-50303"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40243",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40243"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40251",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40251"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40247",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40247"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40220",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40220"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-66476",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66476"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40240",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40240"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40248",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40248"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-13836",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13836"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-66293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-66293"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-53231",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-53231"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40218",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40218"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-13837",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13837"
},
{
"published_at": "2025-12-06",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40266",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40266"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-34297",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-34297"
}
]
}
bit-pgbouncer-2025-12819
Vulnerability from bitnami_vulndb
Published
2025-12-06 11:44
Modified
2025-12-28 12:07
Summary
Untrusted search path in auth_query connection in PgBouncer
Details
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "pgbouncer",
"purl": "pkg:bitnami/pgbouncer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2025-12819"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.",
"id": "BIT-pgbouncer-2025-12819",
"modified": "2025-12-28T12:07:40.562Z",
"published": "2025-12-06T11:44:20.875Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12819"
},
{
"type": "WEB",
"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-125x"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html"
}
],
"schema_version": "1.6.2",
"summary": "Untrusted search path in auth_query connection in PgBouncer"
}
FKIE_CVE-2025-12819
Vulnerability from fkie_nvd - Published: 2025-12-03 19:15 - Updated: 2026-06-17 08:33
Severity
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
References
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "PgBouncer",
"vendor": "n/a",
"versions": [
{
"lessThan": "1.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE71D84A-CE1D-4AE3-9618-49027227EEBE",
"versionEndExcluding": "1.25.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage."
}
],
"id": "CVE-2025-12819",
"lastModified": "2026-06-17T08:33:00.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-12819",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:11:14.559731Z",
"version": "2.0.3"
}
}
]
},
"published": "2025-12-03T19:15:55.227",
"references": [
{
"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"tags": [
"Release Notes"
],
"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-125x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html"
}
],
"sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-426"
}
],
"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"type": "Secondary"
}
]
}
GHSA-QPXX-2FWX-F5QJ
Vulnerability from github – Published: 2025-12-03 21:31 – Updated: 2025-12-27 18:30
VLAI
Details
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.0 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Severity
7.5 (High)
{
"affected": [],
"aliases": [
"CVE-2025-12819"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T19:15:55Z",
"severity": "HIGH"
},
"details": "Untrusted search path in auth_query connection handler in PgBouncer before 1.25.0 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.",
"id": "GHSA-qpxx-2fwx-f5qj",
"modified": "2025-12-27T18:30:23Z",
"published": "2025-12-03T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12819"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html"
},
{
"type": "WEB",
"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-124x"
},
{
"type": "WEB",
"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-125x"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
MSRC_CVE-2025-12819
Vulnerability from csaf_microsoft - Published: 2025-12-02 00:00 - Updated: 2025-12-23 01:37Summary
Untrusted search path in auth_query connection in PgBouncer
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 19349-17086 | — | ||
| Unresolved product id: 19350-17084 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12819 Untrusted search path in auth_query connection in PgBouncer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-12819.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Untrusted search path in auth_query connection in PgBouncer",
"tracking": {
"current_release_date": "2025-12-23T01:37:37.000Z",
"generator": {
"date": "2025-12-23T08:38:23.352Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-12819",
"initial_release_date": "2025-12-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-12-05T01:02:46.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-12-06T01:04:01.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2025-12-20T14:35:11.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
},
{
"date": "2025-12-23T01:37:37.000Z",
"legacy_version": "4",
"number": "4",
"summary": "Information published."
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 pgbouncer 1.24.1-1",
"product": {
"name": "\u003ccbl2 pgbouncer 1.24.1-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 pgbouncer 1.24.1-1",
"product": {
"name": "cbl2 pgbouncer 1.24.1-1",
"product_id": "19349"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 pgbouncer 1.24.1-1",
"product": {
"name": "\u003cazl3 pgbouncer 1.24.1-1",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 pgbouncer 1.24.1-1",
"product": {
"name": "azl3 pgbouncer 1.24.1-1",
"product_id": "19350"
}
}
],
"category": "product_name",
"name": "pgbouncer"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 pgbouncer 1.24.1-1 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 pgbouncer 1.24.1-1 as a component of CBL Mariner 2.0",
"product_id": "19349-17086"
},
"product_reference": "19349",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 pgbouncer 1.24.1-1 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 pgbouncer 1.24.1-1 as a component of Azure Linux 3.0",
"product_id": "19350-17084"
},
"product_reference": "19350",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12819",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"notes": [
{
"category": "general",
"text": "PostgreSQL",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"19349-17086",
"19350-17084"
],
"known_affected": [
"17086-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12819 Untrusted search path in auth_query connection in PgBouncer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-12819.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-05T01:02:46.000Z",
"details": "1.25.1-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17086-2",
"17084-1"
]
}
],
"title": "Untrusted search path in auth_query connection in PgBouncer"
}
]
}
WID-SEC-W-2025-2734
Vulnerability from csaf_certbund - Published: 2025-12-03 23:00 - Updated: 2025-12-28 23:00Summary
PgBouncer: Schwachstelle ermöglicht SQL injection
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: PgBouncer ist ein leichtgewichtiger Connection-Pooler für PostgreSQL
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PgBouncer ausnutzen, um einen SQL-Injection Angriff durchzuführen.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- UNIX
- Windows
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source PgBouncer <1.25.1
Open Source / PgBouncer
|
<1.25.1 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Microsoft Azure Linux azl3
Microsoft / Azure Linux
|
cpe:/o:microsoft:azure_linux:azl3
|
azl3 |
References
6 references
| URL | Category |
|---|---|
| https://wid.cert-bund.de/.well-known/csaf/white/2… | self |
| https://wid.cert-bund.de/portal/wid/securityadvis… | self |
| https://www.pgbouncer.org/2025/12/pgbouncer-1.25-1 | external |
| https://www.pgbouncer.org/changelog.html | external |
| https://msrc.microsoft.com/update-guide/ | external |
| https://lists.debian.org/debian-lts-announce/2025… | external |
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "PgBouncer ist ein leichtgewichtiger Connection-Pooler f\u00fcr PostgreSQL",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PgBouncer ausnutzen, um einen SQL-Injection Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2734 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2734.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2734 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2734"
},
{
"category": "external",
"summary": "PgBouncer Release 1.25.1 vom 2025-12-03",
"url": "https://www.pgbouncer.org/2025/12/pgbouncer-1.25-1"
},
{
"category": "external",
"summary": "PgBouncer changelog vom 2025-12-03",
"url": "https://www.pgbouncer.org/changelog.html"
},
{
"category": "external",
"summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2025-12-09",
"url": "https://msrc.microsoft.com/update-guide/"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4422 vom 2025-12-27",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html"
}
],
"source_lang": "en-US",
"title": "PgBouncer: Schwachstelle erm\u00f6glicht SQL injection",
"tracking": {
"current_release_date": "2025-12-28T23:00:00.000+00:00",
"generator": {
"date": "2025-12-29T08:50:07.294+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2734",
"initial_release_date": "2025-12-03T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-03T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-12-09T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-12-28T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "azl3",
"product": {
"name": "Microsoft Azure Linux azl3",
"product_id": "T049210",
"product_identification_helper": {
"cpe": "cpe:/o:microsoft:azure_linux:azl3"
}
}
}
],
"category": "product_name",
"name": "Azure Linux"
}
],
"category": "vendor",
"name": "Microsoft"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.25.1",
"product": {
"name": "Open Source PgBouncer \u003c1.25.1",
"product_id": "T049073"
}
},
{
"category": "product_version",
"name": "1.25.1",
"product": {
"name": "Open Source PgBouncer 1.25.1",
"product_id": "T049073-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:open_source:pgbouncer:1.25.1"
}
}
}
],
"category": "product_name",
"name": "PgBouncer"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12819",
"product_status": {
"known_affected": [
"T049073",
"2951",
"T049210"
]
},
"release_date": "2025-12-03T23:00:00.000+00:00",
"title": "CVE-2025-12819"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…