CVE-2022-26520: 
Java vulnerability analysis and mitigation

In PostgreSQL JDBC (pgjdbc) versions before 42.3.3, a vulnerability was identified where an attacker with control over the JDBC URL or connection properties could exploit the loggerFile and loggerLevel connection properties to write arbitrary files to the system. This vulnerability was assigned CVE-2022-26520 and was disclosed in March 2022. For example, an attacker could potentially create an executable JSP file under a Tomcat web root, leading to potential remote code execution (GitHub Advisory, CVE Mitre).

The vulnerability stems from the ability to manipulate the loggerFile and loggerLevel connection properties in the JDBC URL. An attacker could specify an arbitrary filename in the loggerFileName connection parameter, for example: 'jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>'. This could result in the creation of a valid JSP file potentially leading to Remote Code Execution (GitHub Advisory).

The vulnerability could allow an attacker to write arbitrary files to the system, potentially leading to remote code execution if the attacker can write to sensitive locations such as web application directories. This could result in complete system compromise if successfully exploited (GitHub Advisory).

The vulnerability was fixed in version 42.3.3 by removing the LoggerFile implementation, which will now be ignored by the driver. For earlier versions, applications should sanitize inputs to the driver and ensure that JDBC URLs and connection properties are not exposed to untrusted users. The vendor recommends using java.util.logging for logging configuration instead (GitHub Advisory).