CVE-2022-26520

NameCVE-2022-26520
DescriptionIn pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5196-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpgjava (PTS)jessie9.2-1002-1vulnerable
stretch (security), stretch (lts), stretch9.4.1212-1+deb9u1vulnerable
buster (security), buster, buster (lts)42.2.5-2+deb10u4fixed
bullseye (security), bullseye42.2.15-1+deb11u1fixed
bookworm42.5.4-1fixed
sid, trixie42.7.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpgjavasourcejessie(unfixed)end-of-life
libpgjavasourcebuster42.2.5-2+deb10u1DSA-5196-1
libpgjavasourcebullseye42.2.15-1+deb11u1DSA-5196-1
libpgjavasource(unstable)42.3.3-1

Notes

[stretch] - libpgjava <no-dsa> (Requires control over connection properties)
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064 (REL42.3.3-rc1)

Search for package or bug name: Reporting problems