All errata/c9f2/ALT-PU-2023-8463-1
ALT-PU-2023-8463-1

Package update postgresql-jdbc in branch c9f2

Version42.3.3-alt0.c9.1_1jpp8
Task#322983
Published2023-07-05
Max severityCRITICAL
Severity:

Closed issues (5)

BDU:2022-00821
CRITICAL9.8

Уязвимость драйвера JDBC pgjdbc для подключения Java-программ к базе данных PostgreSQL, позволяющая нарушителю выполнить произвольный код

Published: 2022-02-17Modified: 2024-09-13
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2022-03872
HIGH7.7

Уязвимость драйвера JDBC (PgJDBC) для подключения Java-программ к базе данных PostgreSQL, позволяющая нарушителю проводить XXE-атаки

Published: 2022-06-29Modified: 2022-11-21
CVSS 3.xHIGH 7.7
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:P/A:C
References
CVE-2018-10936
HIGH8.1

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

Published: 2018-08-30Modified: 2024-11-21
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2020-13692
HIGH7.7

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

Published: 2020-06-04Modified: 2024-11-21
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H
References
CVE-2022-21724
CRITICAL9.8

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Published: 2022-02-02Modified: 2025-05-05
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References