Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2022-26520

Опубликовано: 10 мар. 2022
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 7.5
CVSS3: 9.8

Описание

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needed
devel

not-affected

42.3.3-1
esm-apps/bionic

not-affected

disputed
esm-apps/focal

not-affected

disputed
esm-apps/jammy

not-affected

42.3.3-1
esm-apps/noble

not-affected

42.3.3-1
esm-apps/xenial

not-affected

code not present
esm-infra-legacy/trusty

not-affected

code not present
focal

not-affected

disputed
impish

ignored

end of life

Показывать по

Ссылки на источники

EPSS

Процентиль: 69%
0.00622
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3

Связанные уязвимости

redhat логотип

CVE-2022-26520

CVSS3: 9.8
redhat
больше 3 лет назад

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

nvd логотип

CVE-2022-26520

CVSS3: 9.8
nvd
больше 3 лет назад

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

debian логотип

CVE-2022-26520

CVSS3: 9.8
debian
больше 3 лет назад

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or pro ...

suse-cvrf логотип

SUSE-SU-2022:2655-1

suse-cvrf
почти 3 года назад

Security update for postgresql-jdbc

suse-cvrf логотип

SUSE-FU-2022:2794-1

suse-cvrf
почти 3 года назад

Feature update for ongres-scram, ongres-stringprep, postgresql-jdbc

EPSS

Процентиль: 69%
0.00622
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3