postgresql postgresql_jdbc_driver 信息暴露

admin

0
文章

0
评论

2023-11-30 05:00:17 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 postgresql postgresql_jdbc_driver 信息暴露

CVE编号

CVE-2022-41946

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-11-24

漏洞描述

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	postgresql	postgresql_jdbc_driver	*	From (including) 42.2.0	Up to (excluding) 42.2.27
	运行在以下环境
	应用	postgresql	postgresql_jdbc_driver	*	From (including) 42.3.0	Up to (excluding) 42.3.8
	运行在以下环境
	应用	postgresql	postgresql_jdbc_driver	*	From (including) 42.4.0	Up to (excluding) 42.4.3
	运行在以下环境
	应用	postgresql	postgresql_jdbc_driver	42.5.0	-
	运行在以下环境
	系统	alpine_3.17	java-postgresql-jdbc	*		Up to (excluding) 42.5.1-r0
	运行在以下环境
	系统	alpine_3.18	java-postgresql-jdbc	*		Up to (excluding) 42.5.1-r0
	运行在以下环境
	系统	alpine_edge	java-postgresql-jdbc	*		Up to (excluding) 42.5.1-r0
	运行在以下环境
	系统	anolis_os_8	postgresql-jdbc-javadoc	*		Up to (excluding) 42.2.14-2
	运行在以下环境
	系统	centos_8	ovirt-ansible-collection	*		Up to (excluding) 0.0.4-1.el8sat
	运行在以下环境
	系统	debian_10	libpgjava	*		Up to (excluding) 42.2.5-2+deb10u3
	运行在以下环境
	系统	debian_11	libpgjava	*		Up to (including) 42.2.15-1+deb11u1
	运行在以下环境
	系统	debian_12	libpgjava	*		Up to (excluding) 42.5.1-1
	运行在以下环境
	系统	debian_sid	libpgjava	*		Up to (excluding) 42.5.1-1
	运行在以下环境
	系统	fedora_37	postgresql-jdbc	*		Up to (excluding) 42.4.3-1.fc37
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP3	postgresql-jdbc	*		Up to (excluding) 42.4.1-2.ky10
	运行在以下环境
	系统	opensuse_Leap_15.4	postgresql-jdbc	*		Up to (excluding) 42.2.25-150400.3.9.2
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 42.2.14-2.el8
	运行在以下环境
	系统	oracle_9	oraclelinux-release	*		Up to (excluding) 42.2.27-1.el9
	运行在以下环境
	系统	redhat_8	ovirt-ansible-collection	*		Up to (excluding) 0.0.4-1.el8sat
	运行在以下环境
	系统	redhat_9	postgresql-jdbc	*		Up to (excluding) 42.2.27-1.el9
	运行在以下环境
	系统	suse_12_SP5	postgresql-jdbc	*		Up to (excluding) 9.4-3.9.1
	运行在以下环境
	系统	unionos_a	postgresql-jdbc	*		Up to (excluding) postgresql-jdbc-42.2.14-2.uelc20
	运行在以下环境
	系统	unionos_e	postgresql-jdbc	*		Up to (excluding) postgresql-jdbc-42.4.1-2.uel20