CVE-2022-41946Sensitive Information Exposure in Postgresql Jdbc Driver

CWE-200Sensitive Information ExposureCWE-377Insecure Temporary FileCWE-668Resource ExposureCWE-732Incorrect Permission Assignment10 documents7 sources
Severity
5.5MEDIUMNVD
CNA4.7
EPSS
0.1%
top 68.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Lightbend Akka HttpPostgresql Jdbc DriverPgjdbc+1 more
Timeline
PublishedNov 23
Latest updateMay 21

Description

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDpostgresql/postgresql_jdbc_driver42.2.042.2.27+3
CVEListV5pgjdbc/pgjdbc4 versions+3
NVDlightbend/akka_http< 10.5.2

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

6
CVEList
CVE-2023-33251: When Akka HTTP before 102023-05-21
GHSA
GHSA-9f9g-qwcw-j94j: When Akka HTTP before 102023-05-21
CVEList
TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc2022-11-23
OSV
CVE-2022-41946: pgjdbc is an open source postgresql JDBC Driver2022-11-23
OSV
TemporaryFolder on unix-like systems does not limit access to created files2022-11-23

📋Vendor Advisories

2
Red Hat
postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions2022-11-23
Debian
CVE-2022-41946: libpgjava - pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared...2022
CVE-2022-41946 — Sensitive Information Exposure | cvebase