PostgreSQL JDBC Driver 42.2.25 Released


  • CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit

Commits by author