GHSA-727h-hrw8-jg8q

Suggest an improvement
Source
https://github.com/advisories/GHSA-727h-hrw8-jg8q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-727h-hrw8-jg8q/GHSA-727h-hrw8-jg8q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-727h-hrw8-jg8q
Aliases
Published
2022-03-11T00:02:02Z
Modified
2024-02-16T07:58:20.700461Z
Summary
Path traversal in org.postgresql:postgresql
Details

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

References

Affected packages

Maven / org.postgresql:postgresql

Package

Name
org.postgresql:postgresql
View open source insights on deps.dev
Purl
pkg:maven/org.postgresql/postgresql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
42.1.0
Fixed
42.3.3

Affected versions

42.*

42.1.0
42.1.0.jre7
42.1.1
42.1.1.jre6
42.1.1.jre7
42.1.2
42.1.2.jre6
42.1.2.jre7
42.1.3
42.1.3.jre6
42.1.3.jre7
42.1.4
42.1.4.jre6
42.1.4.jre7
42.2.0
42.2.0.jre6
42.2.0.jre7
42.2.1
42.2.1.jre6
42.2.1.jre7
42.2.2
42.2.2.jre6
42.2.2.jre7
42.2.3
42.2.3.jre6
42.2.3.jre7
42.2.4
42.2.4.jre6
42.2.4.jre7
42.2.5
42.2.5.jre6
42.2.5.jre7
42.2.6
42.2.6.jre6
42.2.6.jre7
42.2.7
42.2.7.jre6
42.2.7.jre7
42.2.8
42.2.8.jre6
42.2.8.jre7
42.2.9
42.2.9.jre6
42.2.9.jre7
42.2.10
42.2.10.jre6
42.2.10.jre7
42.2.11
42.2.11.jre6
42.2.11.jre7
42.2.12
42.2.12.jre6
42.2.12.jre7
42.2.13
42.2.13.jre6
42.2.13.jre7
42.2.14
42.2.14.jre6
42.2.14.jre7
42.2.15
42.2.15.jre6
42.2.15.jre7
42.2.16
42.2.16.jre6
42.2.16.jre7
42.2.17
42.2.17.jre6
42.2.17.jre7
42.2.18
42.2.18.jre6
42.2.18.jre7
42.2.19
42.2.19.jre6
42.2.19.jre7
42.2.20
42.2.20.jre6
42.2.20.jre7
42.2.21
42.2.21.jre6
42.2.21.jre7
42.2.22
42.2.22.jre6
42.2.22.jre7
42.2.23
42.2.23.jre6
42.2.23.jre7
42.2.24
42.2.24.jre6
42.2.24.jre7
42.2.25
42.2.25.jre6
42.2.25.jre7
42.2.26
42.2.26.jre6
42.2.26.jre7
42.2.27
42.2.27.jre6
42.2.27.jre7
42.3.0
42.3.1
42.3.2