Detections
Analytics

Fedora 37 : postgresql-jdbc (2023-42d6ba9bd6)

medium Nessus Plugin ID 194568

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-42d6ba9bd6 advisory.

 - pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
 (CVE-2022-41946)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected postgresql-jdbc package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2023-42d6ba9bd6

Plugin Details

Severity: Medium

ID: 194568

File Name: fedora_2023-42d6ba9bd6.nasl

Version: 1.0

Type: local

Agent: unix

Published: 4/29/2024

Updated: 4/29/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2022-41946

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:37, p-cpe:/a:fedoraproject:fedora:postgresql-jdbc

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/4/2023

Vulnerability Publication Date: 11/23/2022

Reference Information

CVE: CVE-2022-41946