Homepage
About Snyk

org.postgresql:postgresql@9.4-1202-jdbc42 vulnerabilities

  • latest version

    42.7.3

  • latest non vulnerable version

    42.7.3

  • first published

    11 years ago

  • latest version published

    2 months ago

  • licenses detected

    • PostgreSQL
      [9.4-1200-jdbc4,9.4.1212); [9.4.1212.jre6,42.0.0); [42.0.0.jre6,42.1.0); [42.1.0.jre7,42.1.1); [42.1.1.jre6,42.1.2); [42.1.2.jre6,42.1.3); [42.1.3.jre6,42.1.4); [42.1.4.jre6,42.2.0); [42.2.0.jre6,42.2.1); [42.2.1.jre6,42.2.2); [42.2.2.jre6,42.2.3); [42.2.3.jre6,42.2.4); [42.2.4.jre6,42.2.5); [42.2.5.jre6,42.2.6); [42.2.6.jre6,42.2.7); [42.2.7.jre6,42.2.8); [42.2.8.jre6,42.2.9); [42.2.9.jre6,42.2.10); [42.2.10.jre6,42.2.11); [42.2.11.jre6,42.2.12); [42.2.12.jre6,42.2.13)

  • package manager

    View on Maven Repository
Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.postgresql:postgresql package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
SQL Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.

How to fix SQL Injection?

Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.

[,42.2.28.jre7) [42.3.0,42.3.9) [42.4.0,42.4.4) [42.5.0,42.5.5) [42.6.0,42.6.1) [42.7.0,42.7.2)
  • H
SQL Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.

NOTE:

  • An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
  • Additionally, applications that do not invoke ResultSet.refreshRow() are not affected.

How to fix SQL Injection?

Upgrade org.postgresql:postgresql to version 42.2.26, 42.3.7, 42.4.1 or higher.

[,42.2.26) [42.3.0,42.3.7) [42.4.0,42.4.1)
  • H
XML External Entity (XXE) Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The PgSQLXML class used for parsing was found to allow external entities and multiple doc types which could allow XXE attacks.

How to fix XML External Entity (XXE) Injection?

Upgrade org.postgresql:postgresql to version 42.2.13 or higher.

[,42.2.13)
  • H
Man-in-the-Middle (MitM)

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.postgresql:postgresql to version 42.2.5 or higher.

[,42.2.5)
Go back to all versions of this package