VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 23, 2022· Updated Nov 3, 2025

TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc

CVE-2022-41946

Description

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PgJDBC created world-readable temporary files when handling large InputStreams in PreparedStatement methods, leaking data to other local users on Unix-like systems.

Root

Cause

PgJDBC's PreparedStatement.setText(int, InputStream) and PreparedStatement.setBytea(int, InputStream) methods [1][2] create temporary files when the provided InputStream exceeds 2 KB (the advisory mentions 51 KB as the threshold for the fixed version [4]). On Unix-like systems (excluding macOS), these temporary files are written to the shared system temporary directory with default POSIX permissions that make them readable by all local users [2][4]. The driver relies on java.io.File.createTempFile, which does not set restrictive permissions [3].

Exploitation

The vulnerability is exploitable only in multi-user environments where untrusted users share the same host. An attacker with local access to the system can read the contents of these temporary files [4]. The attack requires no special privileges beyond being able to list files in /tmp or the configured temporary directory. The vulnerable code path is triggered whenever an application passes a large InputStream (greater than 2 KB) to the affected methods [2][4].

Impact

This is a pure information disclosure vulnerability [2][4]. An attacker can read sensitive data that was temporarily stored in the file, such as large binary objects (BLOBs) or text values passed via setText or setBytea. The attacker cannot overwrite or delete the files; the disclosure is limited to reading the file contents [2][4].

Mitigation

The fix is version- and JDK-dependent. For Java 8 and higher, the vulnerability is patched in versions 42.2.27, 42.3.8, 42.4.3, and 42.5.1 [3][4]. For Java 7, the fix is in version 42.2.27.jre7 [4]. Java 6 and lower have no patch [2][4]; users on those versions can mitigate by setting the java.io.tmpdir system property to a directory owned exclusively by the executing user [2][4].

References
  1. GitHub - pgjdbc/pgjdbc: Postgresql JDBC Driver
  2. NVD - CVE-2022-41946
  3. Merge pull request from GHSA-562r-vg33-8x8h · pgjdbc/pgjdbc@9008dc9
  4. TemporaryFolder on unix-like systems does not limit access to created files

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.postgresql:postgresqlMaven
>= 42.2.0, < 42.2.2742.2.27
org.postgresql:postgresqlMaven
>= 42.3.0, < 42.3.842.3.8
org.postgresql:postgresqlMaven
>= 42.4.0, < 42.4.342.4.3
org.postgresql:postgresqlMaven
>= 42.5.0, < 42.5.142.5.1

Affected products

11

Patches

1
9008dc9aade6

Merge pull request from GHSA-562r-vg33-8x8h

https://github.com/pgjdbc/pgjdbcDave CramerNov 23, 2022via ghsa
commit
7 files changed · +111 25
  • CHANGELOG.md+15 1 modified
    @@ -10,6 +10,19 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 
+[42.5.1] (2022-11-21 15:21:59 -0500)
+### Security
+- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).
+This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details. Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh) This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
+
+### Fixed
+
+- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
+- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
 ## [42.5.0] (2022-08-23 11:20:11 -0400)
 ### Changed
 - fix: revert change in [PR #1986](https://github.com/pgjdbc/pgjdbc/pull/1986) where float was aliased to float4 from float8. 
@@ -743,4 +756,5 @@ thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc
 [42.4.1]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.0...REL42.4.1
 [42.4.2]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.1...REL42.4.2
 [42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.2...REL42.5.0
-[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...HEAD
+[42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...REL42.5.1
+[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.1...HEAD
  • contributors.json+6 1 modified
    @@ -198,5 +198,10 @@
    "Olivier Bourgain" : "olivierbourgain02@gmail.com",
    "Andrei Lurie" : "alurie@users.noreply.github.com",
    "Sven Diedrichsen" : "sven.diedrichsen@gmail.com",
-   "Sasa Vilic" : "sasavilic@gmail.com"
+   "Sasa Vilic" : "sasavilic@gmail.com",
+   "Evgeniy Devyatykh" : "devyatyh@gmail.com",
+   "Josh Soref" : "2119212+jsoref@users.noreply.github.com",
+   "Kevin222004" : "kevinpatel222004@gmail.com",
+   "Knut Olav Løite" : "koloite@gmail.com",
+   "μtkarsh" : "61664827+utkar-sh-ukla@users.noreply.github.com"
 }
  • docs/content/changelogs/2022-11-21-42.5.1-release.md+64 0 added
    @@ -0,0 +1,64 @@
+---
+title:  PostgreSQL JDBC Driver 42.5.1 Released
+date:   2022-11-21 15:21:47 -0500
+categories:
+    - new_release
+version: 42.5.1
+---
+**Notable changes**
+
+### Security
+- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).\
+This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details.\
+Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh)\
+This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7.\
+**Note** there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
+
+### Fixed
+
+- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
+- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
+
+<!--more-->
+
+**Commits by author**
+
+Dave Cramer (13):
+  Update README.md [PR 2609](https://github.com/pgjdbc/pgjdbc/pull/2609)\
+  Ignore simplequery for postgresql 8.4 [PR 2614](https://github.com/pgjdbc/pgjdbc/pull/2614)\
+  Single commit to move newdocs into master [PR 2618](https://github.com/pgjdbc/pgjdbc/pull/2618)\
+  update versions [PR 2619](https://github.com/pgjdbc/pgjdbc/pull/2619)\
+  fix grammar, fix downloads, minor edits [PR 2626](https://github.com/pgjdbc/pgjdbc/pull/2626)\
+  fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 [PR 2552](https://github.com/pgjdbc/pgjdbc/pull/2552)\
+  clarify prepared statement usage [PR 2629](https://github.com/pgjdbc/pgjdbc/pull/2629)\
+  fix maven coordinates [PR 2631](https://github.com/pgjdbc/pgjdbc/pull/2631)\
+  remove javadoc links for java 17 and above [PR 2637](https://github.com/pgjdbc/pgjdbc/pull/2637)\
+  revert change to PGProperty.get() to keep the API the same [PR 2644](https://github.com/pgjdbc/pgjdbc/pull/2644)\
+  exclude ArrayTest versions less than 9.1 [PR 2645](https://github.com/pgjdbc/pgjdbc/pull/2645)\
+
+Evgeniy Devyatykh (1):
+      perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR 2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+
+Josh Soref (1):
+      chore: fix various spelling errors [PR 2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
+Kevin222004 (1):
+
+Knut Olav Løite (1):
+      fix: binary decoding of bool values [PR 2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+
+Marek Läll (1):
+      Feature/urlparser improve3 pr1 [PR 2641](https://github.com/pgjdbc/pgjdbc/pull/2641)
+
+Vladimir Sitnikov (4):
+      docs: clarify we ship security fixes by default for the latest 42.x and 42.2 only [PR 2586](https://github.com/pgjdbc/pgjdbc/pull/2586)
+
+μtkarsh (1):
+      Optimize png files [PR 2621](https://github.com/pgjdbc/pgjdbc/pull/2621)
+
+
+    
\ No newline at end of file
  • docs/data/homepagedata.toml+6 1 modified
    @@ -14,6 +14,11 @@ path = "/icons/driver-icon.svg"
 
 # Releases Info
 
+[[info]]
+date = "21 October 2022"
+url = "/changelogs/2022-11-21-42.5.1-release/"
+version = "42.5.1"
+
 [[info]]
 date = "24 August 2022"
 url = "/changelogs/2022-08-24-42.5.0-release/"
@@ -30,6 +35,6 @@ url = "/changelogs/2022-08-03-42.4.1-release/"
 version = "42.4.1"
 
 [[info]]
-date = "09 JUne 2022"
+date = "09 June 2022"
 url = "/changelogs/2022-06-09-42.4.0-release/"
 version = "42.4.0"
  • docs/data/versions.toml+15 20 modified
    @@ -2,47 +2,42 @@
 
 [[recent]]
 j_name= "Java 8"
-version= "42.5.0"
+version= "42.5.1"
 suffix=""
 description= "If you are using Java 8 or newer then you should use the  JDBC 4.2 version."
-url= "/download/postgresql-42.5.0.jar"
+url= "/download/postgresql-42.5.1.jar"
 
 [[recent]]
 j_name= "Java 7"
-version= "42.2.26"
+version= "42.2.27"
 suffix="jre7"
 description= "If you are using Java 7  then you should use the  JDBC 4.1 version."
-url= "/download/postgresql-42.2.26.jre7.jar"
+url= "/download/postgresql-42.2.27.jre7.jar"
 
 [[recent]]
 j_name= "Java 6"
-version= "42.2.26"
+version= "42.2.27"
 suffix="jre6"
 description= "If you are using Java 6  then you should use the  JDBC 4.0 version."
-url= "/download/postgresql-42.2.26.jre6.jar"
+url= "/download/postgresql-42.2.27.jre6.jar"
 
 # Past Versions
 
 [[past]]
-v_name= "Postgresql JDBC 42.4.0"
-version= "42.4.0"
+v_name= "Postgresql JDBC 42.5.0"
+version= "42.5.0"
 suffix=""
-url= "/download/postgresql-42.4.0.jar"
+url= "/download/postgresql-42.5.0.jar"
 
 [[past]]
-v_name= "Postgresql JDBC 42.3.6"
-version= "42.3.6"
+v_name= "Postgresql JDBC 42.4.2"
+version= "42.4.2"
 suffix=""
-url= "/download/postgresql-42.3.6.jar"
+url= "/download/postgresql-42.4.2.jar"
 
 [[past]]
-v_name= "Postgresql JDBC 42.3.5"
-version= "42.3.5"
+v_name= "Postgresql JDBC 42.3.7"
+version= "42.3.7"
 suffix=""
-url= "/download/postgresql-42.3.5.jar"
+url= "/download/postgresql-42.3.7.jar"
 
-[[past]]
-v_name= "Postgresql JDBC 42.3.4"
-version= "42.3.4"
-suffix=""
-url= "/download/postgresql-42.3.4.jar"
  • docs/layouts/partials/home/info.html+3 1 modified
    @@ -15,7 +15,9 @@ <h2>
             Latest Releases
         </h2>
         <p>
-            pgJDBC has released v42.5.0 on 24 August, 2022. Please see the release notes below.
+            pgJDBC has released v42.5.1 on 21 October, 2022. This is a security release which fixes CVE-2022-41946 
+            see <a href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h" >Security Advisory</a>
+            for details
         </p>
         <ul role="list">
             {{ range $.Site.Data.homepagedata.info }}
  • pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java+2 1 modified
    @@ -17,6 +17,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 /**
  * Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public StreamWrapper(InputStream stream) throws PSQLException {
 
       if (memoryLength == -1) {
         final int diskLength;
-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
         diskOutputStream.write(rawData);
         try {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.