WS-2022-0080 (High) detected in postgresql-42.2.23.jar

[mend-bolt-for-github]

WS-2022-0080 - High Severity Vulnerability

Vulnerable Library - postgresql-42.2.23.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org

Path to dependency file: /modules/admin/pom.xml

Path to vulnerable library: /6_HHZOQI/downloadResource_EAEXXF/20221104210737/postgresql-42.2.23.jar,/6_HHZOQI/downloadResource_EAEXXF/20221104210746/postgresql-42.2.23.jar

Dependency Hierarchy:

• ❌ postgresql-42.2.23.jar (Vulnerable Library)

Found in HEAD commit: 519756786389e6def30b4e68ca7e83fe94667d5b

Found in base branch: master

Vulnerability Details

In org.postgresql:postgresql before 42.3.3 the connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

Publish Date: 2022-02-16

URL: WS-2022-0080

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-673j-qm5f-xpv8

Release Date: 2022-02-16

Fix Resolution: 42.2.26

---

Step up your Open Source Security Game with Mend here

[github-actions]

Thank you for opening an issue. If this issue is related to a bug, please follow the steps and provide the information outlined in the Troubleshooting Guide. Failure to follow these instructions may result in automatic closing of this issue.