PostgreSQL JDBC Driver Vulnerability in PgJDBC
CVE-2020-13692

7.7HIGH

Key Information:

Vendor
Postgresql
Status
Postgresql Jdbc Driver
Vendor
CVE Published:
4 June 2020

Summary

The PostgreSQL JDBC Driver, also known as PgJDBC, is at risk of XML External Entity (XXE) injection due to improper handling of XML input in versions prior to 42.2.13. This flaw could allow an attacker to exploit the application’s parsing of XML data, potentially resulting in unauthorized access to sensitive data and services. It is recommended to update to version 42.2.13 or later to mitigate this vulnerability.

References

https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d4968...
x_refsource_CONFIRM
https://jdbc.postgresql.org/documentation/changelog.html#...
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20200619-0005/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.