Postgresql Jdbc Driver Postgresql Jdbc Driver

Do you want an email whenever new security vulnerabilities are reported in Postgresql Jdbc Driver?

By the Year

In 2022 there have been 3 vulnerabilities in Postgresql Jdbc Driver with an average score of 9.2 out of ten. Postgresql Jdbc Driver did not have any published security vulnerabilities last year. That is, 3 more vulnerabilities have already been reported in 2022 as compared to last year.

Year Vulnerabilities Average Score
2022 3 9.20
2021 0 0.00
2020 1 7.70
2019 0 0.00
2018 1 8.10

It may take a day or so for new Postgresql Jdbc Driver vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Postgresql Jdbc Driver Security Vulnerabilities

PostgreSQL JDBC Driver (PgJDBC for short)

CVE-2022-31197 8 - High - August 03, 2022

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

SQL Injection

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties)

CVE-2022-26520 9.8 - Critical - March 10, 2022

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

pgjdbc is the offical PostgreSQL JDBC Driver

CVE-2022-21724 9.8 - Critical - February 02, 2022

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Improper Initialization

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13

CVE-2020-13692 7.7 - High - June 04, 2020

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

XXE

A weakness was found in postgresql-jdbc before version 42.2.5

CVE-2018-10936 8.1 - High - August 30, 2018

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

Improper Validation of Certificate with Host Mismatch

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Virtualization or by PostgreSQL? Click the Watch button to subscribe.

PostgreSQL
Vendor

subscribe