Postgresql JDBC Vulnerability : CVE-2022-21724 ; CVE-2022-26520 (OD-2025)

Trivy Container Scanner Output:

adminotaur@onedev-updated-08-13-24:~$ trivy image 1dev/server:latest 
2024-08-13T21:26:19Z    INFO    [db] Need to update DB
2024-08-13T21:26:19Z    INFO    [db] Downloading DB...  repository="ghcr.io/aquasecurity/trivy-db:2"
51.30 MiB / 51.30 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.39 MiB p/s 4.3s
2024-08-13T21:26:23Z    INFO    [vuln] Vulnerability scanning is enabled
2024-08-13T21:26:23Z    INFO    [secret] Secret scanning is enabled
2024-08-13T21:26:23Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-13T21:26:23Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-13T21:27:11Z    INFO    Java DB Repository      repository=ghcr.io/aquasecurity/trivy-java-db:1
2024-08-13T21:27:11Z    INFO    Downloading the Java DB...
634.37 MiB / 634.37 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 7.54 MiB p/s 1m24s
2024-08-13T21:28:37Z    INFO    The Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache.
2024-08-13T21:28:42Z    INFO    Detected OS     family="ubuntu" version="24.04"
2024-08-13T21:28:42Z    INFO    [ubuntu] Detecting vulnerabilities...   os_version="24.04" pkg_num=190
2024-08-13T21:28:42Z    INFO    Number of language-specific files       num=4
2024-08-13T21:28:42Z    INFO    [gobinary] Detecting vulnerabilities...
2024-08-13T21:28:42Z    INFO    [jar] Detecting vulnerabilities...
2024-08-13T21:28:43Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability#severity-selection for details.

1dev/server:latest (ubuntu 24.04)

Total: 34 (UNKNOWN: 0, LOW: 27, MEDIUM: 7, HIGH: 0, CRITICAL: 0)

org.postgresql:postgresql (postgresql-42.2.8.jar)            │ CVE-2024-1597       │ CRITICAL │          │ 42.2.8                │ 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 │ pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL │
│                                                              │                     │          │          │                       │                                                 │ if using PreferQueryMode=SIMPLE...                           │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2024-1597                    │
│                                                              ├─────────────────────┼──────────┤          │                       ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2020-13692      │ HIGH     │          │                       │ 42.2.13                                         │ postgresql-jdbc: XML external entity (XXE) vulnerability in  │
│                                                              │                     │          │          │                       │                                                 │ PgSQLXML                                                     │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2020-13692                   │
│                                                              ├─────────────────────┤          │          │                       ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-21724      │          │          │                       │ 42.2.25, 42.3.2                                 │ jdbc-postgresql: Unchecked Class Instantiation when          │
│                                                              │                     │          │          │                       │                                                 │ providing Plugin Classes                                     │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2022-21724                   │
│                                                              ├─────────────────────┤          │          │                       ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-31197      │          │          │                       │ 42.2.26, 42.4.1, 42.3.7                         │ postgresql: SQL Injection in ResultSet.refreshRow() with     │
│                                                              │                     │          │          │                       │                                                 │ malicious column names                                       │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2022-31197                   │
│                                                              ├─────────────────────┼──────────┤          │                       ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-41946      │ MEDIUM   │          │                       │ 42.2.27, 42.3.8, 42.4.3, 42.5.1                 │ postgresql-jdbc: Information leak of prepared statement data │
│                                                              │                     │          │          │                       │                                                 │ due to insecure temporary file...                            │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2022-41946                   │
│                                                              ├─────────────────────┤          │          │                       ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ GHSA-673j-qm5f-xpv8 │          │          │                       │ 42.3.3                                          │ pgjdbc Arbitrary File Write Vulnerability                    │
│                                                              │                     │          │          │                       │                                                 │ https://github.com/advisories/GHSA-673j-qm5f-xpv8            │
│                                                              ├─────────────────────┼──────────┤          │                       │                                                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-26520      │ LOW      │          │                       │                                                 │ postgresql-jdbc: Arbitrary File Write Vulnerability          │
│                                                              │                     │          │          │                       │                                                 │ https://avd.aquasec.com/nvd/cve-2022-26520                   │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴──────────┴───────────────────────┴─────────────────────────────────────────────────┴───────────────────────────────────────────────────────────

Note:

This is only part of the trivy vulnerability output.

Decyphertek.io commented 1 year ago

Scan using Trivy on Debian:

wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
sudo dpkg -i trivy_0.54.1_Linux-64bit.deb
trivy image 1dev/server:latest

Decyphertek.io commented 1 year ago

Idea:

Would you be able to integrate trivy into this platform? That would be interesting, since it runs in a docker container and would add a security feature to your platform. It would also secure your base code as well.
Robin Shen changed fields 1 year ago
Name Previous Value Current Value
Type

Question

Security Vulnerability
OneDev changed state to 'Closed' 1 year ago
Previous Value Current Value
Open

Closed
OneDev commented 1 year ago

State changed as code fixing the issue is committed (d623834e)
OneDev changed state to 'Released' 1 year ago
Previous Value Current Value
Closed

Released
OneDev commented 1 year ago

State changed as build OD-5348 is successful
Robin Shen commented 1 year ago

Thanks for reporting this issue. OneDev enterprise endition already integrates with Trivy and the vulnerability scan will be performed on a daily basis.
Login to comment

Name	Previous Value	Current Value
Type	Question	Security Vulnerability

Previous Value	Current Value
Open	Closed

Previous Value	Current Value
Closed	Released

Type	Security Vulnerability
Priority	Normal
Assignee	Cody Robinson
Labels	No labels

Issue Votes (0)

Watchers (2)

Reference

OD-2025

Trivy Container Scanner Output:

Note:

Scan using Trivy on Debian:

Idea: