File Manipulation Vulnerability in pgjdbc Driver Affecting Applications
CVE-2022-26520

9.8CRITICAL

Key Information:

Vendor
Postgresql
Status
Postgresql Jdbc Driver
Vendor
CVE Published:
10 March 2022

Summary

A vulnerability exists in the pgjdbc JDBC driver prior to version 42.3.3 that allows an attacker with control over the JDBC URL or properties to exploit the loggerFile and loggerLevel connection properties. This can result in the ability to write arbitrary files to the system, including creating executable JSP files within a Tomcat web root. While the vendor asserts that the risk lies with any application using the pgjdbc driver with untrusted connection properties, it highlights the importance of securing application configurations to prevent unauthorized file access and execution.

References

https://jdbc.postgresql.org/documentation/changelog.html#...
x_refsource_MISC
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA...
x_refsource_MISC
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b92...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.