| Name | CVE-2025-46801 |
| Description | Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5974-1 |
| Debian Bugs | 1106119 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| pgpool2 (PTS) | bullseye | 4.1.4-3 | vulnerable |
| bullseye (security) | 4.1.4-3+deb11u1 | vulnerable | |
| bookworm, bookworm (security) | 4.3.5-1+deb12u1 | fixed | |
| trixie | 4.6.1-2 | fixed | |
| forky, sid | 4.6.3-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| pgpool2 | source | bookworm | 4.3.5-1+deb12u1 | DSA-5974-1 | ||
| pgpool2 | source | (unstable) | 4.6.1-1 | 1106119 |
https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.6.1.2C_4.5.7.2C_4.4.12.2C_4.3.15_and_4.2.22_officially_released_.282025.2F05.2F15.29_2
Fixed by: https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=d8e2ace8737f64eee2bf5ca74f6294835fb75ccb (V4_6_1)