9.8
CVSSv3

CVE-2022-21724

Published: 02/02/2022 Updated: 21/11/2024

Vulnerability Summary

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

postgresql postgresql jdbc driver

postgresql postgresql jdbc driver 42.3.2

fedoraproject fedora 35

quarkus quarkus

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

Vendor Advisories

Synopsis Important: Red Hat Process Automation Manager 7131 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) base score, which gives ...
Synopsis Important: Red Hat Fuse 7110 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 710 to 711) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this update ...
Synopsis Important: Service Registry (container images) release and security update [230GA] Type/Severity Security Advisory: Important Topic An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog The purpose of this text-only errata is to inform you about the security issues fi ...
Synopsis Moderate: Red Hat build of Quarkus 275 release and security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat build of QuarkusRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a det ...
Several security vulnerabilities have been found in libpgjava, the official PostgreSQL JDBC Driver CVE-2020-13692 An XML External Entity (XXE) weakness was found in PostgreSQL JDBC CVE-2022-21724 The JDBC driver did not verify if certain classes implemented the expected interface before instantiating the class This can lead to code ...
pgjdbc is the offical PostgreSQL JDBC Driver A security hole was found in the jdbc driver for postgresql database while doing security research The system using the postgresql library will be attacked when attacker control the jdbc url or properties pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClass ...

Github Repositories

Synchro Task SynchroTask is a lightweight library which helps to synchronize Java routines in distributed environments Synchronization is one of the most important parts in software development Programming languages offer a wide range of options to work with locks and concurrency In Java, developers can choose between low-level features, such as synchronized or methods li

Some ReadObject Sink With JDBC

Deserial_Sink_With_JDBC 如果你: 厌倦了高版本JDK中TemplatesImpl已经被移除 寻找gadget却想不到sink 无法扩大JDBC攻击的危害 不妨试试以下JDBC与原生反序列化的结合 (以下sink均为getter触发,可配合cb、fj、jackson等链子使用) Postgresql PostgreSQL的JDBC存在一个CVE-2022-21724,其影响范围是 941208 <

实战场景较通用的 Java Rce 相关漏洞的利用方式 | Common Exploitation Techniques for Java RCE Vulnerabilities in Real-World Scenarios

JavaRceDemo By Whoopsunix 0x00 do what? 🚀 记录贴 对照实战场景梳理较通用的 Java Rce 相关漏洞的利用方式或知识点 🚩 对于实际环境遇到过的组件如有必要会针对可利用版本进行一个梳理 慢更 🚧 长期项目 不定期学习后更新 🪝 PPPRASP 项目中对本项目给出的漏洞实现防护(仅实现关键函数

2023 陇剑杯 线上初赛附件

longjiancup2023 2023 陇剑杯 线上初赛流量分析部分附件 | 题目以及答案 百度云盘打包下载: 链接:panbaiducom/s/15khq_ietiipRjb4EN1YfNg?pwd=o12u 提取码:o12u 根据各位需求提供一下WP地址,这里推荐附件题看先知社区的WP:xzaliyuncom/t/12806#toc-27 本次线上赛就一道WEB题目 WP可以看NK战队的WP h

Cloud Security Guides Cloud Security Guides 是由腾讯安全云鼎实验室维护的一个云计算安全知识库项目,用来收集云安全研究期间发现的优秀资源、文献、典型云安全漏洞以及知识图谱等,并以云参考模型架构为依托,将云上安全资源进行分类编排,为云上安全能力建设工作提供一份参考指南。Cl

Cloud Security Guides Cloud Security Guides 是由腾讯安全云鼎实验室维护的一个云计算安全知识库项目,用来收集云安全研究期间发现的优秀资源、文献、典型云安全漏洞以及知识图谱等,并以云参考模型架构为依托,将云上安全资源进行分类编排,为云上安全能力建设工作提供一份参考指南。Cl

2023 陇剑杯 线上初赛附件

longjiancup2023 2023 陇剑杯 线上初赛流量分析部分附件 | 题目以及答案 百度云盘打包下载: 链接:panbaiducom/s/15khq_ietiipRjb4EN1YfNg?pwd=o12u 提取码:o12u 根据各位需求提供一下WP地址,这里推荐附件题看先知社区的WP:xzaliyuncom/t/12806#toc-27 本次线上赛就一道WEB题目 WP可以看NK战队的WP h

Cloud Security Guides Cloud Security Guides 是由腾讯安全云鼎实验室维护的一个云计算安全知识库项目,用来收集云安全研究期间发现的优秀资源、文献、典型云安全漏洞以及知识图谱等,并以云参考模型架构为依托,将云上安全资源进行分类编排,为云上安全能力建设工作提供一份参考指南。Cl

入门篇 一个小哥写的博客,可以作为静态程序分析的入门 (一)初识软件分析 (二)数据流分析基础 (三)Datalog和程序分析 (四)静态单赋值和稀疏分析 (五)过程间分析 (六)指向分析 (七)抽象解释 (八)SMT和符号执行 (九)体验静态分析工具 自动化漏洞挖掘:静态程序