CVE-2022-26520
Path traversal in org.postgresql:postgresql
9.8
CRITICAL
CVSS 3.1
EPSS 0.99%
Description
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
How to fix CVE-2022-26520
To remediate CVE-2022-26520, upgrade the affected package to a fixed version below.
- —upgrade to 42.1.5 or later
- —upgrade to 42.2.15-1+deb11u1 or later
- —upgrade to 42.3.3 or later
- —upgrade to 42.3.3 or later
Is CVE-2022-26520 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 42.1.0, < 42.1.5, >= 42.3.0, < 42.3.3
- from 0, < 42.2.15-1+deb11u1
- >= 42.1.0, < 42.3.3
- >= 42.1.0, < 42.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |