CVE-2022-26520 - OpenCVE

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Postgresql	Postgresql Jdbc Driver

Configuration 1 [-]

OR	cpe:2.3:a:postgresql:postgresql_jdbc_driver::::::::
	cpe:2.3:a:postgresql:postgresql_jdbc_driver::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc	Patch Third Party Advisory
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8	Third Party Advisory
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3	Release Notes Vendor Advisory
https://jdbc.postgresql.org/documentation/head/tomcat.html	Vendor Advisory
https://www.debian.org/security/2022/dsa-5196	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-07T17:00:37

Updated: 2022-07-31T19:06:34

Reserved: 2022-03-06T00:00:00

Link: CVE-2022-26520

JSON object: View

NVD Information

Status : Modified

Published: 2022-03-10T17:47:45.810

Modified: 2024-05-17T02:07:03.663

Link: CVE-2022-26520

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-31T19:06:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc"}, {"tags": ["x_refsource_MISC"], "url": "https://jdbc.postgresql.org/documentation/head/tomcat.html"}, {"name": "DSA-5196", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5196"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26520", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3", "refsource": "MISC", "url": "https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3"}, {"name": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8", "refsource": "MISC", "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8"}, {"name": "https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc", "refsource": "MISC", "url": "https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc"}, {"name": "https://jdbc.postgresql.org/documentation/head/tomcat.html", "refsource": "MISC", "url": "https://jdbc.postgresql.org/documentation/head/tomcat.html"}, {"name": "DSA-5196", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5196"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26520", "datePublished": "2022-03-07T17:00:37", "dateReserved": "2022-03-06T00:00:00", "dateUpdated": "2022-07-31T19:06:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "E992D2E1-C637-4046-8077-18D8C2FF1433", "versionEndIncluding": "42.1.4", "versionStartIncluding": "42.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB084209-C713-42F1-B1C4-78C92AA63720", "versionEndExcluding": "42.3.3", "versionStartIncluding": "42.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties"}, {"lang": "es", "value": "** EN DISPUTA ** En pgjdbc versiones anteriores a 42.3.3, un atacante (que controla la URL o las propiedades de jdbc) puede llamar a java.util.logging.FileHandler para escribir en archivos arbitrarios mediante las propiedades de conexi\u00f3n loggerFile y loggerLevel. Una situaci\u00f3n de ejemplo es que un atacante podr\u00eda crear un archivo JSP ejecutable bajo una root web de Tomcat. NOTA: la posici\u00f3n del proveedor es que no se presenta una vulnerabilidad de pgjdbc; en cambio, es una vulnerabilidad para cualquier aplicaci\u00f3n que use el controlador pgjdbc con propiedades de conexi\u00f3n no confiables"}], "id": "CVE-2022-26520", "lastModified": "2024-05-17T02:07:03.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:47:45.810", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://jdbc.postgresql.org/documentation/head/tomcat.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5196"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}