cbcvebase.
CVE-2022-21724
published 2022-02-02

CVE-2022-21724: pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.01%
85.7th percentile
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlibpgjava< libpgjava 42.3.2-1 (bookworm)libpgjava 42.3.2-1 (bookworm)
fedoraprojectfedora
postgresqlpostgresql_jdbc_driver< 42.2.2542.2.25
postgresqlpostgresql_jdbc_driver
postgresqlpostgresql_jdbc_driver>= 42.3.0 < 42.3.242.3.2
quarkusquarkus< 2.7.22.7.2

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker-controlled JDBC connection property `authenticationPluginClassName` can be used to instantiate arbitrary classes without interface verification, enabling code execution
  • Monitor JDBC URL or connection properties for attacker-supplied class names in any of the five vulnerable properties: authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback
  • Exploitation scope is local; focus detection on local process/application-level manipulation of JDBC connection strings or configuration files supplying plugin class names
  • ·Upstream re-scored this issue and it is no longer considered a full RCE; rated Moderate by Red Hat. Detection priority should be adjusted accordingly.
  • ·Fixed in pgjdbc 42.3.2 (Debian sid/bookworm/trixie/forky) and 42.2.15-1+deb11u1 (Debian bullseye); environments still running older versions remain vulnerable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.