← Voltar para CVEs
CVE-2022-26520
CRITICAL9.8
Descricao
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado3/10/2022
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
debian:debian_linuxpostgresql:postgresql_jdbc_driver
Referencias
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc(cve@mitre.org)
https://jdbc.postgresql.org/documentation/head/tomcat.html(cve@mitre.org)
https://www.debian.org/security/2022/dsa-5196(cve@mitre.org)
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8(af854a3a-2127-422b-91ae-364da2661108)
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3(af854a3a-2127-422b-91ae-364da2661108)
https://jdbc.postgresql.org/documentation/head/tomcat.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5196(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.