BIT-postgresql-jdbc-driver-2022-41946
Exposure of Sensitive Information vulnerability in postgresql (Maven)
What is BIT-postgresql-jdbc-driver-2022-41946 About?
This vulnerability is an information disclosure flaw in PostgreSQL JDBC driver versions where temporary files created by `PreparedStatement.setText` and `PreparedStatement.setBytea` are readable by other users on Unix-like systems. This can lead to unauthorized access to sensitive data stored in these temporary files, but does not allow overwriting. Exploitation requires specific system configurations and is moderately difficult.
Affected Software
- org.postgresql:postgresql
- >42.2.0, <42.2.27
- >42.5.0, <42.5.1
- >42.3.0, <42.3.8
- >42.4.0, <42.4.3
Technical Details
The vulnerability arises from the PostgreSQL JDBC driver's implementation of PreparedStatement.setText(int, InputStream) and PreparedStatement.setBytea(int, InputStream). When the provided InputStream is larger than 51KB, the driver creates a temporary file to handle the data. On Unix-like systems, the default permissions for these temporary files, located in a shared temporary directory, make them world-readable. This allows other untrusted users on the same system to access the contents of these temporary files. The attack vector involves an attacker with local access to a multi-user Unix-like system where the vulnerable driver is running, attempting to read these temporary files to extract sensitive information. The vulnerability does not provide write access.
What is the Impact of BIT-postgresql-jdbc-driver-2022-41946?
Successful exploitation may allow attackers to disclose sensitive information from temporary files created by the application.
What is the Exploitability of BIT-postgresql-jdbc-driver-2022-41946?
Exploitation requires local access to a multi-user Unix-like system. The complexity is moderate, as it relies on the application handling large input streams (over 51KB) via specific PreparedStatement methods, creating temporary files accessible to other users in a shared temporary directory. No authentication is explicitly required if the attacker already has user access to the system. Privilege requirements are low, as typical user privileges are sufficient to read world-readable temporary files. The risk increases in environments where the system hosts untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-postgresql-jdbc-driver-2022-41946?
Available Upgrade Options
- org.postgresql:postgresql
- >42.2.0, <42.2.27 → Upgrade to 42.2.27
- org.postgresql:postgresql
- >42.3.0, <42.3.8 → Upgrade to 42.3.8
- org.postgresql:postgresql
- >42.4.0, <42.4.3 → Upgrade to 42.4.3
- org.postgresql:postgresql
- >42.5.0, <42.5.1 → Upgrade to 42.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
- https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
- https://security.netapp.com/advisory/ntap-20240329-0003/
- https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html
- https://osv.dev/vulnerability/GHSA-562r-vg33-8x8h
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/
What are Similar Vulnerabilities to BIT-postgresql-jdbc-driver-2022-41946?
Similar Vulnerabilities: CVE-2020-1945 , CVE-2020-15824 , CVE-2021-4104 , CVE-2023-44487 , CVE-2023-45803
