cvedb.io
CVE-2022-26520
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2022-03-10T17:47:45.810 · Last modified 2026-06-17T04:35:20.700

Summary

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties

Affected products

postgresql — postgresql_jdbc_driver

Does this affect you?

Add your gear to cvedb and we'll alert you only when postgresql ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.