What is CVE-2022-26520?

CVE-2022-26520 is a vulnerability found in Postgres JDBC that allows an attacker to write to arbitrary files.

What is the severity of CVE-2022-26520?

The severity of CVE-2022-26520 is critical with a CVSS score of 9.8.

Which software versions are affected by CVE-2022-26520?

Versions of Postgres JDBC prior to 42.3.3 and certain versions of libpgjava and PostgreSQL JDBC Driver are affected by CVE-2022-26520.

How can I fix the CVE-2022-26520 vulnerability?

To fix the CVE-2022-26520 vulnerability, you should update your Postgres JDBC library to version 42.3.3 or later.

Vulnerability/
CVE-2022-26520

critical

9.8

CWE

552

1/2/2022

7/3/2022

11/3/2022

3/8/2024

CVE-2022-26520

Q: How does the CVE-2022-26520 vulnerability work?

The vulnerability allows an attacker who controls the jdbc URL or properties to call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties.

First published: Tue Feb 01 2022(Updated: )

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
maven/org.postgresql:postgresql	>=42.1.0<42.3.3	42.3.3
debian/libpgjava		42.2.5-2+deb10u1 42.2.5-2+deb10u3 42.2.15-1+deb11u1 42.5.4-1 42.6.0-2
Postgresql Postgresql Jdbc Driver	>=42.1.0<=42.1.4
Postgresql Postgresql Jdbc Driver	>=42.3.0<42.3.3
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0
	>=42.1.0<=42.1.4
	>=42.3.0<42.3.3
	=10.0
	=11.0

Remedy

https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-26520?
CVE-2022-26520 is a vulnerability found in Postgres JDBC that allows an attacker to write to arbitrary files.
How does the CVE-2022-26520 vulnerability work?
The vulnerability allows an attacker who controls the jdbc URL or properties to call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties.
What is the severity of CVE-2022-26520?
The severity of CVE-2022-26520 is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2022-26520?
Versions of Postgres JDBC prior to 42.3.3 and certain versions of libpgjava and PostgreSQL JDBC Driver are affected by CVE-2022-26520.
How can I fix the CVE-2022-26520 vulnerability?
To fix the CVE-2022-26520 vulnerability, you should update your Postgres JDBC library to version 42.3.3 or later.

collector/github-advisory
alias/GHSA-727h-hrw8-jg8q
alias/CVE-2022-26520
collector/github-advisory-latest
collector/redhat-cve
collector/security-tracker-debian
collector/nvd-index
collector/nvd-cve
agent/type
agent/status
agent/first-publish-date
agent/remedy
agent/weakness
agent/references
agent/severity
collector/redhat-bugzilla
source/Red Hat
agent/author
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/tags
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/trending
package-manager/maven
package-manager/debian
status/disputed
vendor/postgresql
canonical/postgresql postgresql jdbc driver
version/postgresql postgresql jdbc driver/42.1.0
version/postgresql postgresql jdbc driver/42.1.4
version/postgresql postgresql jdbc driver/42.3.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
version/debian debian linux/11.0