CVE-2022-21724
Published: 02 February 2022
Summary
CVE-2022-21724 is a high-severity Improper Initialization (CWE-665) vulnerability in Postgresql Postgresql Jdbc Driver. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
pgjdbc, the official PostgreSQL JDBC Driver, contains an improper instantiation flaw (CWE-665) that allows plugin classes to be loaded from connection properties such as authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback. The driver performs no interface verification before instantiating the supplied class name, enabling arbitrary code execution when an attacker can influence the JDBC URL or properties. The issue affects applications that rely on the pgjdbc driver and was assigned a CVSS 3.1 score of 7.0.
An attacker with local access who can control the JDBC connection string or associated properties can supply a malicious class name, causing the driver to load and execute attacker-controlled code with the privileges of the connecting application. No authentication or user interaction is required beyond the ability to set the connection properties, though the attack vector is rated local with high complexity.
The GitHub advisory and linked patches recommend upgrading to a fixed version of pgjdbc for users who employ plugins; no workarounds are documented. Downstream distributions including Debian LTS and Fedora have issued updated packages, and NetApp has published an advisory confirming impact on affected storage products.
The EPSS score reached a peak of 0.0541 before receding to its current value of 0.0314, indicating limited but observable post-disclosure interest that has since declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1192
Vulnerability details
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties.…
more
pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.
Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.