CVE-2022-41946
CVE-2022-41946 is a medium-severity vulnerability in Postgresql Postgresql Jdbc Driver with a CVSS 3.x base score of 4.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-668.
Key facts
- Severity: Medium (CVSS 3.x base score 4.7)
- EPSS exploit prediction: 0% (38th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-668
- Affected product: Postgresql Postgresql Jdbc Driver
- Published:
- Last modified:
Description
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
Frequently asked questions
- What is CVE-2022-41946?
- pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
- How severe is CVE-2022-41946?
- CVE-2022-41946 has a CVSS 3.x base score of 4.7, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-41946 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-41946?
- CVE-2022-41946 primarily affects Postgresql Postgresql Jdbc Driver. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-41946?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-41946 published?
- CVE-2022-41946 was published on 2022-11-23 and last updated on 2026-06-17.
References
- https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
- https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/
- https://security.netapp.com/advisory/ntap-20240329-0003/
- https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html
Affected products (4)
- cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:-:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Postgresql Postgresql Jdbc Driver
- CVE-2024-1597 — Critical (CVSS 10.0): pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the…
- CVE-2022-26520 — Critical (CVSS 9.8): In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler…
- CVE-2025-49146 — High (CVSS 8.2): pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is…
- CVE-2018-10936 — High (CVSS 8.1): A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check…
- CVE-2020-13692 — High (CVSS 7.7): PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
- CVE-2026-42198 — High (CVSS 7.5): pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to…
All CVEs affecting Postgresql Postgresql Jdbc Driver →
Other CWE-668 (Exposure of Resource to Wrong Sphere) vulnerabilities
- CVE-2025-2857 — Critical (CVSS 10.0): Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in…
- CVE-2019-8779 — Critical (CVSS 10.0): A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct…
- CVE-2012-1846 — Critical (CVSS 10.0): Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the sandbox protection mechanism by leveraging…
- CVE-2022-43684 — Critical (CVSS 9.9): ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow…
- CVE-2022-24900 — Critical (CVSS 9.9): Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer.…
- CVE-2019-16541 — Critical (CVSS 9.9): Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site…
Browse all CWE-668 (Exposure of Resource to Wrong Sphere) vulnerabilities →