CVE-2022-21724

HIGH

PostgreSQL JDBC Driver pgjdbc - Plugin Class Code Execution

Title source: manual
STIX 2.1

Description

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220311-0005/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5196

Scores

CVSS v3 7.0
EPSS 0.0301
EPSS Percentile 85.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-665
Status published
Products (8)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 35
org.postgresql/postgresql 9.4.1208 - 42.2.25Maven
postgresql/postgresql_jdbc_driver 42.3.2 rc1
postgresql/postgresql_jdbc_driver < 42.2.25
quarkus/quarkus < 2.7.2
Published Feb 02, 2022
Tracked Since Feb 18, 2026