CVE-2022-26520

EUVD-2022-1351
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
postgresqlpostgresql_jdbc_driver
42.1.0 ≤
𝑥
≤ 42.1.4
postgresqlpostgresql_jdbc_driver
42.3.0 ≤
𝑥
< 42.3.3
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpgjava
bookworm
42.5.4-1
fixed
bullseye
42.2.15-1+deb11u1
fixed
bullseye (security)
42.2.15-1+deb11u1
fixed
sid
42.7.3-1
fixed
stretch
no-dsa
trixie
42.7.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libpgjava
bionic
not-affected
focal
not-affected
impish
ignored
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
not-affected
xenial
not-affected
References
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
https://jdbc.postgresql.org/documentation/head/tomcat.html
https://www.debian.org/security/2022/dsa-5196
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
https://jdbc.postgresql.org/documentation/head/tomcat.html
https://www.debian.org/security/2022/dsa-5196