CVE-2022-26520

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

07 Nov 2023, 03:45

Type Values Removed Values Added
Summary ** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties. In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

09 Nov 2022, 21:38

Type Values Removed Values Added
References (DEBIAN) https://www.debian.org/security/2022/dsa-5196 - (DEBIAN) https://www.debian.org/security/2022/dsa-5196 - Third Party Advisory
First Time Debian debian Linux
Debian
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

01 Aug 2022, 11:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5196 -

30 Mar 2022, 17:14

Type Values Removed Values Added
First Time Postgresql postgresql Jdbc Driver
CPE cpe:2.3:a:postgresql:pgjdbc:*:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*

22 Mar 2022, 14:50

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
First Time Postgresql
Postgresql pgjdbc
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:postgresql:pgjdbc:*:*:*:*:*:*:*:*
References (MISC) https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 - (MISC) https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 - Third Party Advisory
References (MISC) https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc - (MISC) https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc - Patch, Third Party Advisory
References (MISC) https://jdbc.postgresql.org/documentation/head/tomcat.html - (MISC) https://jdbc.postgresql.org/documentation/head/tomcat.html - Vendor Advisory
References (MISC) https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 - (MISC) https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 - Release Notes, Vendor Advisory

10 Mar 2022, 17:53

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-10 17:47

Updated : 2024-05-17 02:07


NVD link : CVE-2022-26520

Mitre link : CVE-2022-26520

CVE.ORG link : CVE-2022-26520


JSON object : View

Products Affected

postgresql

  • postgresql_jdbc_driver

debian

  • debian_linux