CVE-2022-41946

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-41946
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-11-23 20:15:00 UTC
Updated2024-03-29 13:15:00 UTC
Descriptionpgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

Risk And Classification

Problem Types: CWE-668

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Application Postgresql Postgresql Jdbc Driver All All All All
Application Postgresql Postgresql Jdbc Driver 42.5.0 - All All
Application Postgresql Postgresql Jdbc Driver 42.5.0 rc1 All All
Application Postgresql Postgresql Jdbc Driver All All All All
Application Postgresql Postgresql Jdbc Driver All All All All

References

ReferenceSourceLinkTags
Merge pull request from GHSA-562r-vg33-8x8h · pgjdbc/pgjdbc@9008dc9 · GitHub MISC github.com
[SECURITY] Fedora 37 Update: postgresql-jdbc-42.4.3-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] [DLA 3218-1] libpgjava security update MLIST lists.debian.org
TemporaryFolder on unix-like systems does not limit access to created files · Advisory · pgjdbc/pgjdbc · GitHub CONFIRM github.com
[SECURITY] Fedora 37 Update: postgresql-jdbc-42.4.3-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
security.netapp.com/advisory/ntap-20240329-0003 security.netapp.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160607 Oracle Enterprise Linux Security Update for postgresql-jdbc (ELSA-2023-2378)
  • 160662 Oracle Enterprise Linux Security Update for postgresql-jdbc (ELSA-2023-2867)
  • 181285 Debian Security Update for libpgjava (DLA 3218-1)
  • 182879 Debian Security Update for libpgjava (CVE-2022-41946)
  • 241184 Red Hat Update for red hat virtualization (RHSA-2023:0759)
  • 241321 Red Hat Update for Satellite 6.12.3 (RHSA-2023:1630)
  • 241405 Red Hat Update for Satellite 6.13 (RHSA-2023:2097)
  • 241439 Red Hat Update for postgresql-jdbc (RHSA-2023:2378)
  • 241512 Red Hat Update for postgresql-jdbc (RHSA-2023:2867)
  • 283608 Fedora Security Update for postgresql (FEDORA-2023-42d6ba9bd6)
  • 378645 Alibaba Cloud Linux Security Update for postgresql-jdbc (ALINUX3-SA-2023:0065)
  • 502872 Alpine Linux Security Update for java-postgresql-jdbc
  • 753540 SUSE Enterprise Linux Security Update for postgresql-jdbc (SUSE-SU-2023:0104-1)
  • 753541 SUSE Enterprise Linux Security Update for postgresql-jdbc (SUSE-SU-2023:0103-1)
  • 941026 AlmaLinux Security Update for postgresql-jdbc (ALSA-2023:2378)
  • 941088 AlmaLinux Security Update for postgresql-jdbc (ALSA-2023:2867)
  • 960924 Rocky Linux Security Update for Satellite (RLSA-2023:2097)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report