UBUNTU-CVE-2022-26520

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2022-26520

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-26520.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-26520

Related

CVE-2022-26520

Published

2022-03-10T17:47:00Z

Modified

2022-03-10T17:47:00Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

* DISPUTED * In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

References

Affected packages

Ubuntu:22.04:LTS / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/ubuntu/libpgjava@42.3.3-1?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.3.3-1

Affected versions

42.*

42.2.23-1

42.2.24-1

42.3.1-1

42.3.2-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "libpostgresql-jdbc-java-doc": "42.3.3-1",
            "libpostgresql-jdbc-java": "42.3.3-1"
        }
    ]
}