Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-21724

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Published

2022-02-02T12:15:08.390

Last Modified

2025-05-05T17:17:48.017

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-665
Type: Secondary
CWE-665

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	postgresql	postgresql_jdbc_driver	< 42.2.25	Yes
Application	postgresql	postgresql_jdbc_driver	< 42.3.2	Yes
Application	postgresql	postgresql_jdbc_driver	42.3.2	Yes
Operating System	fedoraproject	fedora	35	Yes
Application	quarkus	quarkus	< 2.7.2	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 Patch, Third Party Advisory ([email protected])
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 Exploit, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/ ([email protected])
https://security.netapp.com/advisory/ntap-20220311-0005/ Third Party Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5196 Third Party Advisory ([email protected])
https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220311-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5196 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)