SCA: security update for org.postgresql:postgresql (GHSA-562r-vg33-8x8h)

medium Tenable Cloud Security Plugin ID 410610

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either
`PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create
a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable
by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory
is shared between all users on that system. Because of this, when files and directories are written into
this directory they are, by default, readable by other users on that same system. This vulnerability does
not allow other users to overwrite the contents of these directories or files. This is purely an
information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7,
this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this
vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to
patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a
directory that is exclusively owned by the executing user will mitigate this vulnerability.
(CVE-2022-41946)

See Also

https://github.com/advisories/GHSA-562r-vg33-8x8h

Plugin Details

Severity: Medium

ID: 410610

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2022-41946

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/23/2022

Vulnerability Publication Date: 11/23/2022

Reference Information

CVE: CVE-2022-41946