Miggo Logo
Miggo Vulnerability Database
CVE-2021-31671

CVE-2021-31671: Pgsync Contains Cleartext Transmission of Sensitive Information

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-31671
GHSA ID
GHSA-72rj-36qc-47g7
EPSS Score
0.40502%
CWE
CWE-319
Published
4/27/2021
Updated
8/25/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pgsyncrubygems< 0.6.70.6.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of connection parameters when using --schema-first/--schema-only options. The commit diff shows critical changes in command construction in schema_sync.rb. Previously, connection URLs were appended directly to command strings ("-d #{@source.url}"), which can lose URL parameters during shell command parsing. The patched version改用array-based command construction to preserve all parameters. The dump_command and restore_command methods were directly responsible for this insecure parameter handling in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*syn* ***or* *.*.* is *****t** *y In*orm*tion *is*losur* o* s*nsitiv* in*orm*tion. Syn*in* t** s***m* wit* t** `--s***m*-*irst` *n* `--s***m*-only` options is mis**n*l**. *or *x*mpl*, t** sslmo** *onn**tion p*r*m*t*r m*y ** lost, w*i** m**ns t**t SS

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* *onn**tion p*r*m*t*rs w**n usin* --s***m*-*irst/--s***m*-only options. T** *ommit *i** s*ows *riti**l ***n**s in *omm*n* *onstru*tion in s***m*_syn*.r*. Pr*viously, *onn**tion URLs w*r* *pp*n*** *ir**