Remote code execution in Postgresql JDBC driver



Published: 2022-05-02
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-26520
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Postgresql JDBC Driver
Universal components / Libraries / Libraries used by multiple products

Vendor PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Input validation error

EUVDB-ID: #VU62716

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-26520

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to create arbitrary files on the system.

The vulnerability exists due to insufficient validation of user-supplied input when handling jdbc URL or its properties. A remote attacker can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties.

Successful exploitation of the vulnerability may allow an attacker to create and executable arbitraru JSP file under a Tomcat web root.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Postgresql JDBC Driver: 42.3.0 - 42.3.2, 42.2.0 - 42.2.25, 42.1.0 - 42.1.4


CPE2.3 External links

http://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
http://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
http://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
http://jdbc.postgresql.org/documentation/head/tomcat.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###