CVE-2022-26520 - Improper Input Validation

Severity: Low2022-05-27

Security Advisories

Abstract

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

The Oxygen Content Fusion incorporates postgresql as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1.6 and olderLow Oxygen Content Fusion 5.0 build 2022052605

Mitigation

None

Detail

CVE-2022-26520

Severity: High

CVSS Score: 7.0

The postgresql third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-26520 vulnerability description. However, the Oxygen products are not configured to allow untrusted users to supply JDBC URLs or their properties. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 postgresql library was updated to v42.3.4 which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Balisage: The Markup Conference 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor