GHSA-673j-qm5f-xpv8

Suggest an improvement
Source
https://github.com/advisories/GHSA-673j-qm5f-xpv8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-673j-qm5f-xpv8/GHSA-673j-qm5f-xpv8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-673j-qm5f-xpv8
Published
2022-02-16T00:08:18Z
Modified
2024-12-05T05:27:07.443111Z
Summary
pgjdbc Arbitrary File Write Vulnerability
Details

Overview

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.

If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.

Impact

It is possible to specify an arbitrary filename in the loggerFileName connection parameter "jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter(\"i\"));%>"

This creates a valid JSP file which could lead to a Remote Code Execution

Patches

LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3

Workarounds

sanitize the inputs to the driver

Reported by Allan Lou v3ged0ge@gmail.com

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-16T00:08:18Z"
}
References

Affected packages

Maven / org.postgresql:postgresql

Package

Name
org.postgresql:postgresql
View open source insights on deps.dev
Purl
pkg:maven/org.postgresql/postgresql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
42.1.0
Fixed
42.3.3

Affected versions

42.*

42.1.0
42.1.0.jre7
42.1.1
42.1.1.jre6
42.1.1.jre7
42.1.2
42.1.2.jre6
42.1.2.jre7
42.1.3
42.1.3.jre6
42.1.3.jre7
42.1.4
42.1.4.jre6
42.1.4.jre7
42.2.0
42.2.0.jre6
42.2.0.jre7
42.2.1
42.2.1.jre6
42.2.1.jre7
42.2.2
42.2.2.jre6
42.2.2.jre7
42.2.3
42.2.3.jre6
42.2.3.jre7
42.2.4
42.2.4.jre6
42.2.4.jre7
42.2.5
42.2.5.jre6
42.2.5.jre7
42.2.6
42.2.6.jre6
42.2.6.jre7
42.2.7
42.2.7.jre6
42.2.7.jre7
42.2.8
42.2.8.jre6
42.2.8.jre7
42.2.9
42.2.9.jre6
42.2.9.jre7
42.2.10
42.2.10.jre6
42.2.10.jre7
42.2.11
42.2.11.jre6
42.2.11.jre7
42.2.12
42.2.12.jre6
42.2.12.jre7
42.2.13
42.2.13.jre6
42.2.13.jre7
42.2.14
42.2.14.jre6
42.2.14.jre7
42.2.15
42.2.15.jre6
42.2.15.jre7
42.2.16
42.2.16.jre6
42.2.16.jre7
42.2.17
42.2.17.jre6
42.2.17.jre7
42.2.18
42.2.18.jre6
42.2.18.jre7
42.2.19
42.2.19.jre6
42.2.19.jre7
42.2.20
42.2.20.jre6
42.2.20.jre7
42.2.21
42.2.21.jre6
42.2.21.jre7
42.2.22
42.2.22.jre6
42.2.22.jre7
42.2.23
42.2.23.jre6
42.2.23.jre7
42.2.24
42.2.24.jre6
42.2.24.jre7
42.2.25
42.2.25.jre6
42.2.25.jre7
42.2.26
42.2.26.jre6
42.2.26.jre7
42.2.27
42.2.27.jre6
42.2.27.jre7
42.2.28
42.2.28.jre7
42.2.29
42.3.0
42.3.1
42.3.2