9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.018 Low
EPSS
Percentile
87.9%
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in
the jdbc driver for postgresql database while doing security research. The
system using the postgresql library will be attacked when attacker control
the jdbc url or properties. pgjdbc instantiates plugin instances based on
class names provided via authenticationPluginClassName
,
sslhostnameverifier
, socketFactory
, sslfactory
, sslpasswordcallback
connection properties. However, the driver did not verify if the class
implements the expected interface before instantiating the class. This can
lead to code execution loaded via arbitrary classes. Users using plugins
are advised to upgrade. There are no known workarounds for this issue.
github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2)
github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
launchpad.net/bugs/cve/CVE-2022-21724
nvd.nist.gov/vuln/detail/CVE-2022-21724
security-tracker.debian.org/tracker/CVE-2022-21724
www.cve.org/CVERecord?id=CVE-2022-21724
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.018 Low
EPSS
Percentile
87.9%