Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-p9jg-fcr6-3mhf | OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms |
Fri, 17 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ongres
Ongres scram |
|
| Vendors & Products |
Ongres
Ongres scram |
Fri, 17 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to 3.3, a flaw in com.ongres.scram:scram-client and com.ongres.scram:scram-common allows an attacker capable of a TLS man-in-the-middle attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding when TlsServerEndpoint processes an X.509 certificate using a modern signature algorithm such as Ed25519; getChannelBindingData() can return an empty byte array after NoSuchAlgorithmException, and the ScramClient builder treats that as absent channel-binding data. This issue is fixed in version 3.3. | |
| Title | SCRAM: Silent channel-binding authentication downgrade via unsupported certificate algorithms | |
| Weaknesses | CWE-636 CWE-757 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:09:07.924Z
Reserved: 2026-06-10T16:43:31.241Z
Link: CVE-2026-53712
Updated: 2026-07-17T19:09:03.960Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T20:15:16Z
Github GHSA