CVE-2022-26520 — CRITICAL (9.8)

Q: How severe is CVE-2022-26520?

CVE-2022-26520 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-26520?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql Jdbc Driver, Debian Debian Linux.

Vulnerability Description

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Postgresql	Postgresql Jdbc Driver	>= 42.1.0, <= 42.1.4
Debian	Debian Linux	10.0

References

https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6PatchThird Party Advisory
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8Third Party Advisory
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3Release NotesVendor Advisory
https://jdbc.postgresql.org/documentation/head/tomcat.htmlVendor Advisory
https://www.debian.org/security/2022/dsa-5196Third Party Advisory
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6PatchThird Party Advisory
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8Third Party Advisory
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3Release NotesVendor Advisory
https://jdbc.postgresql.org/documentation/head/tomcat.htmlVendor Advisory
https://www.debian.org/security/2022/dsa-5196Third Party Advisory

FAQ

What is CVE-2022-26520?

CVE-2022-26520 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection prop...

How severe is CVE-2022-26520?

CVE-2022-26520 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-26520?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql Jdbc Driver, Debian Debian Linux.