Skip to content

[5.1] Bump scram-client from 3.2 to 3.3 fixing CVE-2026-53712#1683

Open
julianladisch wants to merge 1 commit into
eclipse-vertx:5.1from
julianladisch:5.1-scram-3.3
Open

[5.1] Bump scram-client from 3.2 to 3.3 fixing CVE-2026-53712#1683
julianladisch wants to merge 1 commit into
eclipse-vertx:5.1from
julianladisch:5.1-scram-3.3

Conversation

@julianladisch

Copy link
Copy Markdown
Contributor

scram-client 3.3 fixes a flaw that allows an attacker capable of performing a TLS machine-in-the-middle (MITM) attack to silently downgrade a connection from SCRAM-SHA-256-PLUS (with channel binding)
to standard SCRAM-SHA-256 (without channel binding), bypassing strict client-side enforcement policies.

See GHSA-p9jg-fcr6-3mhf and https://github.com/ongres/scram/releases/tag/3.3

scram-client 3.3 fixes a flaw that allows an attacker capable of performing
a TLS machine-in-the-middle (MITM) attack to silently downgrade a connection
from SCRAM-SHA-256-PLUS (with channel binding)
to standard SCRAM-SHA-256 (without channel binding),
bypassing strict client-side enforcement policies.

See GHSA-p9jg-fcr6-3mhf
and https://github.com/ongres/scram/releases/tag/3.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant