CVE-2025-46801 (GCVE-0-2025-46801)

Vulnerability from cvelistv5 – Published: 2025-05-19 07:14 – Updated: 2025-11-03 17:44
VLAI?
Summary
Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.
Severity ?
9.8 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-305 - Authentication bypass by primary weakness
Assigner
References
Impacted products
Vendor Product Version
PgPool Global Development Group Pgpool-II Affected: 4.6.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T16:02:35.673653Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T16:02:56.831Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:50.344Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.0"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "4.5.0 to 4.5.6"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "4.4.0 to 4.4.11"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "4.3.0 to 4.3.14"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "4.2.0 to 4.2.21"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "All versions of 4.1 series"
            }
          ]
        },
        {
          "product": "Pgpool-II",
          "vendor": "PgPool Global Development Group",
          "versions": [
            {
              "status": "affected",
              "version": "All versions of 4.0 series"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-305",
              "description": "Authentication bypass by primary weakness",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-19T07:14:45.304Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.pgpool.net/mediawiki/index.php/Main_Page#News"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN06238225/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-46801",
    "datePublished": "2025-05-19T07:14:45.304Z",
    "dateReserved": "2025-04-30T08:26:53.970Z",
    "dateUpdated": "2025-11-03T17:44:50.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46801\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2025-05-19T08:15:21.840\",\"lastModified\":\"2025-11-03T18:16:54.083\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.\"},{\"lang\":\"es\",\"value\":\"Pgpool-II proporcionado por PgPool Global Development Group contiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n por debilidad primaria. Si se explota la vulnerabilidad, un atacante puede iniciar sesi\u00f3n en el sistema como un usuario arbitrario, lo que le permite leer o manipular datos en la base de datos y/o deshabilitar la base de datos.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV30\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-305\"}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN06238225/\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://www.pgpool.net/mediawiki/index.php/Main_Page#News\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T17:44:50.344Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46801\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-19T16:02:35.673653Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-19T16:02:50.683Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.0\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0 to 4.5.6\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.4.0 to 4.4.11\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.3.0 to 4.3.14\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2.0 to 4.2.21\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions of 4.1 series\"}]}, {\"vendor\": \"PgPool Global Development Group\", \"product\": \"Pgpool-II\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions of 4.0 series\"}]}], \"references\": [{\"url\": \"https://www.pgpool.net/mediawiki/index.php/Main_Page#News\"}, {\"url\": \"https://jvn.jp/en/jp/JVN06238225/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-305\", \"description\": \"Authentication bypass by primary weakness\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2025-05-19T07:14:45.304Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-46801\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T17:44:50.344Z\", \"dateReserved\": \"2025-04-30T08:26:53.970Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2025-05-19T07:14:45.304Z\", \"assignerShortName\": \"jpcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.