Remote code execution in Postgresql JDBC driver

Published: 2022-05-02
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-26520
Exploitation vector Network
Public exploit N/A
Vulnerable software
Postgresql JDBC Driver
Universal components / Libraries / Libraries used by multiple products

Vendor PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Input validation error

EUVDB-ID: #VU62716

Risk: High


CVE-ID: CVE-2022-26520


Exploit availability:


The vulnerability allows a remote attacker to create arbitrary files on the system.

The vulnerability exists due to insufficient validation of user-supplied input when handling jdbc URL or its properties. A remote attacker can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties.

Successful exploitation of the vulnerability may allow an attacker to create and executable arbitraru JSP file under a Tomcat web root.


Install updates from vendor's website.

Vulnerable software versions

Postgresql JDBC Driver: 42.1.0 - 42.3.2

Fixed software versions

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?