Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
4 Aug 2022
4 Aug 2022
How to fix?
org.postgresql:postgresql to version 42.2.26, 42.4.1 or higher.
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection via the
java.sql.ResultRow.refreshRow() function in
jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run
ResultSet.refreshRow(), to execute code.
- An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
- Additionally, applications that do not invoke
ResultSet.refreshRow()are not affected.
CREATE TABLE refresh_row_example ( id int PRIMARY KEY, "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int );