PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update

Posted on 2022-08-15 by JDBC Project
Related Open Source Security

The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()

Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. More information about this security advisory is available here

Thanks to Sho Kato for finding and reporting the issue


pgjdbc team