By the Year
In 2022 there have been 2 vulnerabilities in PostgreSQL Pgjdbc with an average score of 9.8 out of ten. Pgjdbc did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2022 as compared to last year.
It may take a day or so for new Pgjdbc vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent PostgreSQL Pgjdbc Security Vulnerabilities
** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties)
9.8 - Critical
- March 10, 2022
** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
pgjdbc is the offical PostgreSQL JDBC Driver
9.8 - Critical
- February 02, 2022
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.