CVE-2022-26520 in PostgreSQL and Debian Products
Published on March 10, 2022

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

Vendor Advisory NVD

Products Associated with CVE-2022-26520

stack.watch emails you whenever new vulnerabilities are published in PostgreSQL JDBC Driver or Debian Linux. Just hit a watch button to start following.

PostgreSQL JDBC Driver

Debian Linux

Exploit Probability

EPSS

1.28%

Percentile

79.33%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2022-26520 in PostgreSQL and Debian ProductsPublished on March 10, 2022

Products Associated with CVE-2022-26520

Exploit Probability

CVE-2022-26520 in PostgreSQL and Debian Products
Published on March 10, 2022