CVE-2022-26520
CRITICALPostgreSQL JDBC Driver 42.1.0-42.3.2 - Arbitrary File Write via loggerFile and loggerLevel Connection Properties
Title source: llmDescription
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
References (5)
Core 5
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
Third Party Advisory x_refsource_misc
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
Patch, Third Party Advisory x_refsource_misc
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
Vendor Advisory x_refsource_misc
https://jdbc.postgresql.org/documentation/head/tomcat.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5196
Scores
CVSS v3
9.8
EPSS
0.0128
EPSS Percentile
79.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
debian/debian_linux
10.0
debian/debian_linux
11.0
org.postgresql/postgresql
42.1.0 - 42.3.3Maven
postgresql/postgresql_jdbc_driver
42.1.0 - 42.1.4
Published
Mar 10, 2022
Tracked Since
Feb 18, 2026