diff --git a/CVE-2022-41946.patch b/CVE-2022-41946.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ea94caee6ac25b5bb476e5c020694cd55a64c952
--- /dev/null
+++ b/CVE-2022-41946.patch
@@ -0,0 +1,39 @@
+From 2c22de4fc6e4a097ace36eec8b03535b5e2486fe Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Fri, 16 Jun 2023 14:00:11 +0800
+Subject: [PATCH 1/1] Merge pull request from GHSA-562r-vg33-8x8h
+
+* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
+
+* Update site with change logs and new version information
+
+Origin:
+https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
+---
+ src/main/java/org/postgresql/util/StreamWrapper.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
+index c4027ce..49f0b5d 100644
+--- a/src/main/java/org/postgresql/util/StreamWrapper.java
++++ b/src/main/java/org/postgresql/util/StreamWrapper.java
+@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
++import java.nio.file.Files;
+ 
+ /**
+  * Wrapper around a length-limited InputStream.
+@@ -51,7 +52,7 @@ public class StreamWrapper {
+ 
+       if (memoryLength == -1) {
+         final int diskLength;
+-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
++        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
+         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
+         diskOutputStream.write(rawData);
+         try {
+-- 
+2.30.0
+
diff --git a/postgresql-jdbc.spec b/postgresql-jdbc.spec
index 0308acd3966ea3a8ba552e71321e18b661458d1e..5f2238f9cac29a76d156c71125d402c6ab425775 100644
--- a/postgresql-jdbc.spec
+++ b/postgresql-jdbc.spec
@@ -1,11 +1,12 @@
 Name:		postgresql-jdbc
 Summary:	Postgresql JDBC Driver
 Version:	42.4.1
-Release:	1
+Release:	2
 License:	BSD
 URL:		http://jdbc.postgresql.org/
 
 Source0:        https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
+Patch0:         CVE-2022-41946.patch
 
 BuildRequires:	maven-local java-comment-preprocessor properties-maven-plugin	classloader-leak-test-framework
 BuildRequires:	maven-enforcer-plugin maven-plugin-bundle maven-plugin-build-helper java-devel >= 1.8
@@ -38,6 +39,7 @@ This package contains the API Documentation for %{name}.
 %prep
 %setup -c -q
 mv postgresql-%{version}-jdbc-src/* .
+%patch0 -p1
 find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
 %pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']"
 %mvn_file org.postgresql:postgresql %{name}/postgresql %{name} postgresql
@@ -78,6 +80,9 @@ find %{_buildrootdir} -name "%{name}.xml" | xargs sed -i '/pgjdbc-aggregate.pom<
 %doc README.md
 
 %changelog
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 42.4.1-2
+- Fix CVE-2022-41946
+
 * Tue Aug 09 2022 yaoxin <yaoxin30@h-partners.com> - 42.4.1-1
 - Update to 42.4.1 to fix CVE-2022-31197