Information Exposure Affecting org.postgresql:postgresql package, versions [42.2.0,42.2.27)[42.3.0,42.3.8)[42.4.0,42.4.3)[42.5.0,42.5.1)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGPOSTGRESQL-3146847
- published24 Nov 2022
- disclosed24 Nov 2022
- creditJonathan Leitschuh
Introduced: 24 Nov 2022
CVE-2022-41946 (opens in a new tab)How to fix?
Upgrade org.postgresql:postgresql to version 42.2.27, 42.3.8, 42.4.3, 42.5.1 or higher.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.
NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.