Cyber Resilience

CVE-2022-21724

HighPublic PoC

Published: 02 February 2022

Published
02 February 2022
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0314 87.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21724 is a high-severity Improper Initialization (CWE-665) vulnerability in Postgresql Postgresql Jdbc Driver. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pgjdbc, the official PostgreSQL JDBC Driver, contains an improper instantiation flaw (CWE-665) that allows plugin classes to be loaded from connection properties such as authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback. The driver performs no interface verification before instantiating the supplied class name, enabling arbitrary code execution when an attacker can influence the JDBC URL or properties. The issue affects applications that rely on the pgjdbc driver and was assigned a CVSS 3.1 score of 7.0.

An attacker with local access who can control the JDBC connection string or associated properties can supply a malicious class name, causing the driver to load and execute attacker-controlled code with the privileges of the connecting application. No authentication or user interaction is required beyond the ability to set the connection properties, though the attack vector is rated local with high complexity.

The GitHub advisory and linked patches recommend upgrading to a fixed version of pgjdbc for users who employ plugins; no workarounds are documented. Downstream distributions including Debian LTS and Fedora have issued updated packages, and NetApp has published an advisory confirming impact on affected storage products.

The EPSS score reached a peak of 0.0541 before receding to its current value of 0.0314, indicating limited but observable post-disclosure interest that has since declined.

EU & UK References

Vulnerability details

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties.…

more

pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

postgresql
postgresql jdbc driver
42.3.2 · ≤ 42.2.25 · 42.3.0 — 42.3.2
fedoraproject
fedora
35
quarkus
quarkus
≤ 2.7.2
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

References