CVE-2022-41946

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions pgjdbc versions prior to 4.5.0

Description The issue is related to the implementation of the PreparedStatement.setText() or PreparedStatement.setBytea() methods in the PgJDBC driver, which can lead to the creation of temporary files that are readable by other users on Unix-like systems. This is an information disclosure issue, where an attacker could potentially access sensitive information. The vulnerability is dependent on the version of the JDK being used.

Recommendations For Java 1.7 and higher users, update to version 4.5.0 to fix the issue. For Java 1.6 and lower users, no patch is available, but specifying the java.io.tmpdir system environment variable to a directory exclusively owned by the executing user can mitigate this vulnerability.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668CWE-377CWE-200

Related Identifiers

ALSA-2023:2378

ALSA-2023:2867

ALSA-2023_2378

ALSA-2023_2867

ALT-PU-2023-8458

ALT-PU-2023-8462

ALT-PU-2024-16562

BDU:2022-07190

BIT-POSTGRESQL-JDBC-DRIVER-2022-41946

CESA-2023_2867

CVE-2022-41946

DLA-3218-1

DLA-3995-1

GHSA-562R-VG33-8X8H

OESA-2023-1366

OPENSUSE-SU-2023_0103-1

OPENSUSE-SU-2024:12606-1

RHSA-2023:0759

RHSA-2023:1630

RHSA-2023:2097

RHSA-2023:2378

RHSA-2023:2867

RHSA-2023_2378

RHSA-2023_2867

RLSA-2023:2097

SUSE-SU-2023:0103-1

SUSE-SU-2023:0104-1

SUSE-SU-2023:0451-1

SUSE-SU-2023_0103-1

SUSE-SU-2023_0104-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Red Hat

Red Os

Rocky Linux

Suse

Pgjdbc

CVE-2022-41946

Weakness Enumeration

Related Identifiers

Affected Products

References · 52