CVE-2022-21724

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21724

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21724.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-21724

Aliases

Related

Published

2022-02-02T12:15:08Z

Modified

2024-09-11T06:13:26.532Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

References

Affected packages

Debian:11 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.2.15-1+deb11u1

Affected versions

42.*

42.2.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/pgjdbc/pgjdbc

Affected ranges

Type: GIT
Repo: https://github.com/pgjdbc/pgjdbc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f4d0ed69c0b3aae8531d83d6af4c57f22312c813

Type: GIT
Repo: https://github.com/quarkusio/quarkus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c7555123aaef705d6e35693da4c0daa3db2e9cd7

Affected versions

REL42.*

REL42.0.0

REL42.1.0

REL42.1.1

REL42.1.2

REL42.1.3

REL42.1.4

REL42.2.0

REL42.2.1

REL42.2.10

REL42.2.11

REL42.2.12

REL42.2.13

REL42.2.14

REL42.2.14-rc1

REL42.2.15

REL42.2.15-rc1

REL42.2.15-rc2

REL42.2.16

REL42.2.16-rc2

REL42.2.2

REL42.2.3

REL42.2.4

REL42.2.5

REL42.2.6

REL42.2.7

REL42.2.8

REL42.2.9

REL42.3.0

REL42.3.0-rc1

REL42.3.0-rc2

REL42.3.1

REL42.3.1-rc1

REL42.3.1-rc2

Other

REL6_5

REL7_0

REL7_1

REL7_1_BETA

REL7_1_BETA2

REL7_1_BETA3

REL7_2

REL7_2_3

REL7_2_4

REL7_2_BETA1

REL7_2_BETA2

REL7_2_BETA3

REL7_2_BETA4

REL7_2_BETA5

REL7_2_RC1

REL7_2_RC2

REL7_4_BETA1

REL7_4_BETA2

REL7_4_BETA3

REL7_4_BETA4

REL7_4_BETA5

REL7_4_RC1

REL7_4_RC2

REL8_0_309

REL8_1_404

REL8_2_504

REL8_3_603

REL8_4_701

REL9_0_801

REL9_3_1100

REL9_4_1201

REL9_4_1202

REL9_4_1203

REL9_4_1204

REL9_4_1205

REL9_4_1206

release-6-3

REL9.*

REL9.4.1207

REL9.4.1208

REL9.4.1209

REL9.4.1210

REL9.4.1211

REL9.4.1212