Information Exposure Affecting org.postgresql:postgresql package, versions [42.2.0,42.2.27) [42.3.0,42.3.8) [42.4.0,42.4.3) [42.5.0,42.5.1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGPOSTGRESQL-3146847
- published 24 Nov 2022
- disclosed 24 Nov 2022
- credit Jonathan Leitschuh
Introduced: 24 Nov 2022
CVE-2022-41946 Open this link in a new tabHow to fix?
Upgrade org.postgresql:postgresql to version 42.2.27, 42.3.8, 42.4.3, 42.5.1 or higher.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.
NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.