NVD - CVE-2022-41946 (original) (raw)
CVE-2022-41946 Detail
Description
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
N/A
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: 5.5 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CNA: GitHub, Inc.
Base Score: 4.7 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
| URL | Source(s) | Tag(s) |
|---|---|---|
| https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 | CVE, GitHub, Inc. | Patch |
| https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h | CVE, GitHub, Inc. | Exploit Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html | CVE, GitHub, Inc. | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html | CVE | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ | CVE, GitHub, Inc. | |
| https://security.netapp.com/advisory/ntap-20240329-0003/ | CVE, GitHub, Inc. |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-668 | Exposure of Resource to Wrong Sphere | NIST |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | GitHub, Inc. |
| CWE-377 | Insecure Temporary File | GitHub, Inc. |
Known Affected Software Configurations Switch to CPE 2.2
CPEs loading, please wait.
Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.
Change History
12 change records found show changes
CVE Modified by GitHub, Inc. 6/17/2026 1:04:06 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | [{"vendor":"pgjdbc","product":"pgjdbc","versions":[{"version":">= 42.2.0, < 42.2.27","status":"affected"},{"version":"> 42.3.0, < 42.3.8","status":"affected"},{"version":">= 42.4.0, < 42.4.3","status":"affected"},{"version":">= 42.5.0, < 42.5.1","status":"affected"}]}] |
CVE Modified by CVE 11/03/2025 5:16:00 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html |
CVE Modified by CVE 11/21/2024 2:24:07 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 | |
| Added | Reference | https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h | |
| Added | Reference | https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html | |
| Added | Reference | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ | |
| Added | Reference | https://security.netapp.com/advisory/ntap-20240329-0003/ |
CVE Modified by GitHub, Inc. 5/14/2024 7:33:45 AM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by GitHub, Inc. 3/29/2024 9:15:13 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | GitHub, Inc. https://security.netapp.com/advisory/ntap-20240329-0003/ [No types assigned] |
CVE Modified by GitHub, Inc. 11/06/2023 10:53:09 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ [No types assigned] | |
| Removed | Reference | GitHub, Inc. https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ |
Reanalysis by NIST 7/06/2023 9:37:49 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CWE | NIST CWE-668 | |
| Removed | CWE | NIST NVD-CWE-Other |
Modified Analysis by NIST 2/22/2023 9:31:43 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
| Changed | Reference Type | https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Patch, Third Party Advisory | https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Patch |
| Changed | Reference Type | https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html No Types Assigned | https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html Mailing List, Third Party Advisory |
| Changed | Reference Type | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ No Types Assigned | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ Third Party Advisory |
CVE Modified by GitHub, Inc. 1/12/2023 11:15:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ [No Types Assigned] |
CVE Modified by GitHub, Inc. 12/02/2022 8:15:09 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html [No Types Assigned] |
Reanalysis by NIST 11/29/2022 11:26:22 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | CPE Configuration | OR *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.2.0 up to (excluding) 42.2.27 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.3.0 up to (including) 42.3.8 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.4.0 up to (including) 42.4.3 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:-:*:*:*:*:*:* *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:rc1:*:*:*:*:*:* | OR *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.2.0 up to (excluding) 42.2.27 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.3.0 up to (excluding) 42.3.8 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.4.0 up to (excluding) 42.4.3 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:-:*:*:*:*:*:* *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:rc1:*:*:*:*:*:* |
Initial Analysis by NIST 11/28/2022 2:43:46 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | |
| Added | CWE | NIST NVD-CWE-Other | |
| Added | CPE Configuration | OR *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.2.0 up to (excluding) 42.2.27 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.3.0 up to (including) 42.3.8 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:* versions from (including) 42.4.0 up to (including) 42.4.3 *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:-:*:*:*:*:*:* *cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:rc1:*:*:*:*:*:* | |
| Changed | Reference Type | https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 No Types Assigned | https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Patch, Third Party Advisory |
| Changed | Reference Type | https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h No Types Assigned | https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h Exploit, Patch, Third Party Advisory |
Quick Info
CVE Dictionary Entry:
CVE-2022-41946
NVD Published Date:
11/23/2022
NVD Last Modified:
06/17/2026
Source:
GitHub, Inc.