org.postgresql:postgresql@42.2.29 vulnerabilities

latest version

42.7.3
latest non vulnerable version

42.7.3
first published

11 years ago
latest version published

2 months ago
licenses detected
- BSD-2-Clause
  [9.2-1002-jdbc4,9.4-1200-jdbc4); [9.4.1212,9.4.1212.jre6); [42.0.0,42.0.0.jre6); [42.1.0,42.1.0.jre7); [42.1.1,42.1.1.jre6); [42.1.2,42.1.2.jre6); [42.1.3,42.1.3.jre6); [42.1.4,42.1.4.jre6); [42.2.0,42.2.0.jre6); [42.2.1,42.2.1.jre6); [42.2.2,42.2.2.jre6); [42.2.3,42.2.3.jre6); [42.2.4,42.2.4.jre6); [42.2.5,42.2.5.jre6); [42.2.6,42.2.6.jre6); [42.2.7,42.2.7.jre6); [42.2.8,42.2.8.jre6); [42.2.9,42.2.9.jre6); [42.2.10,42.2.10.jre6); [42.2.11,42.2.11.jre6); [42.2.12,42.2.12.jre6); [42.2.13,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.postgresql:postgresql package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Arbitrary Code Injection org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to Arbitrary Code Injection. DISPUTED When an arbitrary filename is specified in the `loggerFileName` connection parameter `jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>`, a valid `JSP` file is created and a Remote Code Execution could be performed. Note: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties. How to fix Arbitrary Code Injection? Upgrade `org.postgresql:postgresql` to version 42.3.3 or higher.	[42.1.0,42.3.3)

Arbitrary Code Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Arbitrary Code Injection. DISPUTED

When an arbitrary filename is specified in the loggerFileName connection parameter jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>, a valid JSP file is created and a Remote Code Execution could be performed.

Note: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

How to fix Arbitrary Code Injection?

Upgrade org.postgresql:postgresql to version 42.3.3 or higher.

[42.1.0,42.3.3)

Go back to all versions of this package

org.postgresql:postgresql@42.2.29 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities