9.8

CVE-2022-26520

EPSS 0.68%
Published 10.03.2022 17:47:45
Last modified 21.11.2024 06:54:06
Source cve@mitre.org
Teams watchlist Login
Open Login

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

Affected products Warnungen 0 Metrics 3 CWE 0 References 8

Data is provided by the National Vulnerability Database (NVD)

Postgresql ≫ Postgresql Jdbc Driver Version >= 42.1.0 <= 42.1.4

Postgresql ≫ Postgresql Jdbc Driver Version >= 42.3.0 < 42.3.3

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.68%	0.709

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

https://www.debian.org/security/2022/dsa-5196

Third Party Advisory

https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc

Patch

Third Party Advisory

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8

Third Party Advisory

https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3

Vendor Advisory

Release Notes

https://jdbc.postgresql.org/documentation/head/tomcat.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26520

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26520

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26520

EUVD