Description
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
Severity (CVSS)
| Base score | 4.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Provided by | CNA |
Weaknesses
- CWE-328 — Use of Weak Hash
Affected products
| Vendor | Product | Versions |
|---|---|---|
| DALIBO | PostgreSQL Anonymizer | 1 to <3.1.2 |
References
Generated from the official CVE List on 01 Jul 2026 07:05 UTC.