Hello,
I have a question regarding CVE-2022-21724 - Unchecked Class Instantiation
when providing Plugin Classes, fixed by [1].
The CVE describes that in affected versions the user can load the connection properties classes without checking first if the provided class implements the expected interface. The affected connection properties were the following ones:
authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback.
The related security advisory [2] mentions that the first affected version is REL9.4.1208, with an explanation saying that in this release the socketFactory property first appeared.
However, I have checked the REL9.2-1002 release, and even though socketFactory is not present as expected, there are still the sslhostnameverifier, sslfactory and sslpasswordcallback connection properties available for a user to define.
Classes from these properties are loaded with 'instantiate' method too, without checking if they implement the required interface.