CVE-2022-41946
TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
Es un componente postgresql JDBC de código abierto. En las versiones afectadas, una declaración preparada que utilice `PreparedStatement.setText(int, InputStream)` o `PreparedStatemet.setBytea(int, InputStream)` creará un archivo temporal si el InputStream es mayor que 2k. Esto creará un archivo temporal que otros usuarios podrán leer en sistemas similares a Unix, pero no a MacOS. En sistemas tipo Unix, el directorio temporal del sistema se comparte entre todos los usuarios de ese sistema. Debido a esto, cuando los archivos y directorios se escriben en este directorio, de forma predeterminada, otros usuarios en ese mismo sistema pueden leerlos. Esta vulnerabilidad no permite que otros usuarios sobrescriban el contenido de estos directorios o archivos. Esto es puramente una vulnerabilidad de divulgación de información. Debido a que ciertas API del sistema de archivos JDK solo se agregaron en JDK 1.7, esta solución depende de la versión de JDK que esté utilizando. Usuarios de Java 1.7 y superiores: esta vulnerabilidad se solucionó en 4.5.0. Usuarios de Java 1.6 y versiones anteriores: no hay ningún parche disponible. Si no puede parchear o no puede ejecutar Java 1.6, especificar la variable de entorno del sistema java.io.tmpdir en un directorio que sea propiedad exclusiva del usuario que lo ejecuta mitigará esta vulnerabilidad.
A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-30 CVE Reserved
- 2022-11-23 CVE Published
- 2024-06-15 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-377: Insecure Temporary File
- CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20240329-0003 |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 | 2024-03-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Postgresql Search vendor "Postgresql" | Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver" | >= 42.2.0 < 42.2.27 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version " >= 42.2.0 < 42.2.27" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver" | >= 42.3.0 < 42.3.8 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version " >= 42.3.0 < 42.3.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver" | >= 42.4.0 < 42.4.3 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version " >= 42.4.0 < 42.4.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver" | 42.5.0 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version "42.5.0" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Jdbc Driver Search vendor "Postgresql" for product "Postgresql Jdbc Driver" | 42.5.0 Search vendor "Postgresql" for product "Postgresql Jdbc Driver" and version "42.5.0" | rc1 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||