GHSA-p9jg-fcr6-3mhf
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
Blast Radius
com.ongres.scram:scram-client☕com.ongres.scram:scram-commonReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Summary
A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle (MITM) attack to silently downgrade a connection from SCRAM-SHA-256-PLUS (with channel binding) to standard SCRAM-SHA-256 (without channel binding), bypassing strict client-side enforcement policies.
Component Breakdown
This occurs due to a two-part failure in TlsServerEndpoint when a server presents an X.509 certificate using a modern signature algorithm that lacks traditional WITH naming structures (such as Ed25519 or post-quantum algorithms):
- The internal hash derivation method fails to parse the algorithm name, swallows the resulting
NoSuchAlgorithmException, and silently returns an empty byte array via the deprecatedgetChannelBindingData()` API. - The client builder mistakenly interprets this empty byte array as an environmental absence of channel binding data rather than a cryptographic failure, falling back to non-channel-bound authentication.
Impact & Scope
This issue only impacts deployments where the downstream application layer explicitly enforces strict channel binding enforcement (e.g., channelBinding=require in pgJDBC).
Drivers operating under a "prefer" or "allow" policy (used by default) are structurally insulated from an unhandled exception since a fallback to standard SCRAM is within their expected configuration.
Remediation
Update your project configuration to pull in version 3.3 or later of the SCRAM library, which introduces strict exception propagation and explicit policy controls.
If you are interacting with the ScramClient builder API directly (e.g., writing a custom driver or database extension):
- Migrate Deprecated APIs: Stop using
TlsServerEndpoint.getChannelBindingData(). Transition immediately toTlsServerEndpoint.getChannelBindingHash(), which correctly propagatesNoSuchAlgorithmExceptionup the stack. - Adopt Explicit Policies: Leverage the newly introduced
ChannelBindingPolicyAPI during client construction. Do not rely on implicit parameter presence to dictate your security boundaries.
ScramClient client = ScramClient.builder()
.advertisedMechanisms(serverMechanisms)
.username(user)
.password(pass)
// Explicitly enforce strict boundaries if needed.
.channelBindingPolicy(ChannelBindingPolicy.REQUIRE)
.channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, certHash)
.build();
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | com.ongres.scram:scram-client | all versions | 3.3 |
| ☕Maven | com.ongres.scram:scram-common | all versions | 3.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for com.ongres.scram:scram-client. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update com.ongres.scram:scram-client to 3.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p9jg-fcr6-3mhf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-p9jg-fcr6-3mhf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-p9jg-fcr6-3mhf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-p9jg-fcr6-3mhf in your dependencies?
O3 detects GHSA-p9jg-fcr6-3mhf across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.