CVE-2022-21724

Unchecked Class Instantiation when providing Plugin Classes

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

pgjdbc es el controlador JDBC oficial de PostgreSQL. Se encontró un agujero de seguridad en el controlador jdbc para la base de datos postgresql mientras se hacía una investigación de seguridad. El sistema que utiliza la librería postgresql será atacado cuando un atacante controle la url o las propiedades del jdbc. pgjdbc instala instancias de plugins basados en los nombres de clase proporcionados a través de las propiedades de conexión `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback`. Sin embargo, el controlador no verifica si la clase implementa la interfaz esperada antes de instanciar la clase. Esto puede llevar a la ejecución de código cargado a través de clases arbitrarias. Se aconseja a los usuarios que utilicen plugins que se actualicen. No hay soluciones conocidas para este problema

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-02-02 CVE Published
2024-07-08 First Exploit
2024-08-03 CVE Updated
2024-09-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-665: Improper Initialization

CAPEC

References (9)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html	Mailing List
https://security.netapp.com/advisory/ntap-20220311-0005	Third Party Advisory

URL	Date	SRC
https://github.com/ToontjeM/CVE-2022-21724	2024-07-08
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4	2024-08-03

URL	Date	SRC
https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS	2023-11-07
https://www.debian.org/security/2022/dsa-5196	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-21724	2022-10-06
https://bugzilla.redhat.com/show_bug.cgi?id=2050863	2022-10-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Postgresql Search vendor "Postgresql"		Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver"				< 42.2.25 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version " < 42.2.25"		-		Affected
Postgresql Search vendor "Postgresql"		Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver"				>= 42.3.0 < 42.3.2 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version " >= 42.3.0 < 42.3.2"		-		Affected
Postgresql Search vendor "Postgresql"		Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver"				42.3.2 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version "42.3.2"		rc1		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 2.7.2 Search vendor "Quarkus" for product "Quarkus" and version " < 2.7.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected