29th September 2022: PostgreSQL 15 RC 1 Released!

PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update

Posted on 2022-08-15 by JDBC Project
Related Open Source Security

The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()

Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. More information about this security advisory is available here

Thanks to Sho Kato https://github.com/kato-sho for finding and reporting the issue

Regards,

pgjdbc team