9.8

CVE-2022-26520

EPSS 0.68%
Veröffentlicht 10.03.2022 17:47:45
Zuletzt bearbeitet 21.11.2024 06:54:06
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Postgresql ≫ Postgresql Jdbc Driver Version >= 42.1.0 <= 42.1.4

Postgresql ≫ Postgresql Jdbc Driver Version >= 42.3.0 < 42.3.3

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.68%	0.709

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

https://www.debian.org/security/2022/dsa-5196

Third Party Advisory

https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc

Patch

Third Party Advisory

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8

Third Party Advisory

https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3

Vendor Advisory

Release Notes

https://jdbc.postgresql.org/documentation/head/tomcat.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26520

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26520

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26520

EUVD