admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update CVE. Remote vector was added erroneously

Browse Source 
The maintainer got in contact after requesting a CVE to correct the attack vector.
The original publication mentioned a remote vector, but this was not accurate.
This commit is contained in:
Jonathan Moroney 2022-02-04 14:46:30 -08:00
parent ed09c6db82
commit 75955f3d76
No known key found for this signature in database
GPG Key ID: 3F1697A1388A846C
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
2022/21xxx/CVE-2022-21724.json
View File

@ -3,7 +3,7 @@
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21724",
"STATE": "PUBLIC",
"TITLE": "Remote code execution vulnerability using plugin features "
"TITLE": "Unchecked Class Instantiation when providing Plugin Classes"
},
"affects": {
"vendor": {
@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to remote code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue."
"value": "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue."
}
]
},
@ -51,7 +51,7 @@
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},