| Vulnerability Name: | CVE-2022-21724 (CCN-218798) | ||||||||||||
| Assigned: | 2021-11-16 | ||||||||||||
| Published: | 2022-02-01 | ||||||||||||
| Updated: | 2022-11-09 | ||||||||||||
| Summary: | pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue. | ||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.4 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-665 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-21724 Source: XF Type: UNKNOWN pgjdbc-cve202221724-code-exec(218798) Source: MISC Type: Patch, Third Party Advisory https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 Source: CCN Type: pgjdbc GIT Repository Unchecked Class Instantiation when providing Plugin Classes Source: CONFIRM Type: Exploit, Third Party Advisory https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20220520 [SECURITY] [DLA 3018-1] libpgjava security update Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-1151f65e9a Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20220311-0005/ Source: DEBIAN Type: Third Party Advisory DSA-5196 Source: CCN Type: IBM Security Bulletin 6575507 (Watson Speech Services Cartridge for Cloud Pak for Data) A vulnerability in PostgreSQL JDBC Driver (PgJDBC) affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2022-21724) Source: CCN Type: IBM Security Bulletin 6602599 (Tivoli Netcool/Impact) A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) Source: CCN Type: IBM Security Bulletin 6602625 (i Modernization Engine for Lifecycle Integration) IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6832944 (Business Automation Manager Open Editions) Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1 Source: CCN Type: IBM Security Bulletin 6854915 (Security Verify Governance) IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL Source: CCN Type: IBM Security Bulletin 6967333 (QRadar SIEM) IBM QRadar SIEM includes components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6982841 (Netcool Operations Insight) Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. Source: CCN Type: IBM Security Bulletin 7004655 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||