CVE-2022-21724Improper Initialization in Postgresql Jdbc Driver

CWE-665Improper InitializationCWE-668Resource ExposureCWE-74Injection7 documents6 sources
Severity
9.8CRITICALNVD
CNA7.0
EPSS
4.8%
top 10.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Postgresql Jdbc DriverQuarkusDebian Linux+1 more
Timeline
PublishedFeb 2

Description

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the cl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDpostgresql/postgresql_jdbc_driver42.3.042.3.2+2
NVDquarkus/quarkus< 2.7.2

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2022-21724: pgjdbc is the offical PostgreSQL JDBC Driver2022-02-02
GHSA
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes2022-02-02
OSV
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes2022-02-02
CVEList
Unchecked Class Instantiation when providing Plugin Classes2022-02-02

📋Vendor Advisories

2
Red Hat
jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes2022-02-01
Debian
CVE-2022-21724: libpgjava - pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the j...2022
CVE-2022-21724 — Improper Initialization in Postgresql | cvebase