org.postgresql:postgresql 9.4.1211 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.postgresql:postgresql package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C SQL Injection org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to SQL Injection when using `PreferQueryMode=SIMPLE`, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer. How to fix SQL Injection? Upgrade `org.postgresql:postgresql` to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.	[,42.2.28.jre7)[42.3.0,42.3.9)[42.4.0,42.4.4)[42.5.0,42.5.5)[42.6.0,42.6.1)[42.7.0,42.7.2)
H SQL Injection org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to SQL Injection via the `java.sql.ResultRow.refreshRow()` function in `jdbc/PgResultSet.java`, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run `ResultSet.refreshRow()`, to execute code. NOTE: An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability. Additionally, applications that do not invoke `ResultSet.refreshRow()` are not affected. How to fix SQL Injection? Upgrade `org.postgresql:postgresql` to version 42.2.26, 42.3.7, 42.4.1 or higher.	[,42.2.26)[42.3.0,42.3.7)[42.4.0,42.4.1)
H Remote Code Execution (RCE) org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to Remote Code Execution (RCE) when using certain plugin features. `pgjdbc` instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, and `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. How to fix Remote Code Execution (RCE)? Upgrade `org.postgresql:postgresql` to version 42.2.25, 42.3.2 or higher.	[9.4.1208,42.2.25)[42.3.0,42.3.2)
H XML External Entity (XXE) Injection org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The `PgSQLXML` class used for parsing was found to allow external entities and multiple doc types which could allow XXE attacks. How to fix XML External Entity (XXE) Injection? Upgrade `org.postgresql:postgresql` to version 42.2.13 or higher.	[,42.2.13)
H Man-in-the-Middle (MitM) org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. How to fix Man-in-the-Middle (MitM)? Upgrade `org.postgresql:postgresql` to version 42.2.5 or higher.	[,42.2.5)

Vulnerability

Vulnerable Version

SQL Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.

How to fix SQL Injection?

Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.

[,42.2.28.jre7)[42.3.0,42.3.9)[42.4.0,42.4.4)[42.5.0,42.5.5)[42.6.0,42.6.1)[42.7.0,42.7.2)

SQL Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.

NOTE:

An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
Additionally, applications that do not invoke ResultSet.refreshRow() are not affected.

How to fix SQL Injection?

Upgrade org.postgresql:postgresql to version 42.2.26, 42.3.7, 42.4.1 or higher.

[,42.2.26)[42.3.0,42.3.7)[42.4.0,42.4.1)

Remote Code Execution (RCE)

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when using certain plugin features. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

How to fix Remote Code Execution (RCE)?

Upgrade org.postgresql:postgresql to version 42.2.25, 42.3.2 or higher.

[9.4.1208,42.2.25)[42.3.0,42.3.2)

XML External Entity (XXE) Injection

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The PgSQLXML class used for parsing was found to allow external entities and multiple doc types which could allow XXE attacks.

How to fix XML External Entity (XXE) Injection?

Upgrade org.postgresql:postgresql to version 42.2.13 or higher.

[,42.2.13)

Man-in-the-Middle (MitM)

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.postgresql:postgresql to version 42.2.5 or higher.

[,42.2.5)

org.postgresql:postgresql@9.4.1211 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?