9.8

CVE-2022-26520

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PostgresqlPostgresql Jdbc Driver Version >= 42.1.0 <= 42.1.4
PostgresqlPostgresql Jdbc Driver Version >= 42.3.0 < 42.3.3
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3% 0.857
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://www.debian.org/security/2022/dsa-5196
Third Party Advisory
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
Patch
Third Party Advisory
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
Third Party Advisory
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
Vendor Advisory
Release Notes
https://jdbc.postgresql.org/documentation/head/tomcat.html
Vendor Advisory