September 26, 2024: PostgreSQL 17 Released!

PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597

Posted on 2024-02-21 by JDBC Project
Related Open Source Security

The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: CVE-2024-1597. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

See the security advisory for the details. Thanks to Paul Gerste for finding and reporting the issue.