PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update

From: JDBC Project via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org>
To: PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org>
Subject: PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update
Date: 2022-08-15 13:21:53
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-announce

The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()

Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
More information about this security advisory is available [here](

Thanks to Sho Kato for finding and reporting the issue


pgjdbc team

Browse pgsql-announce by date

  From Date Subject
Next Message CloudNativePG via PostgreSQL Announce 2022-08-17 07:57:53 CloudNativePG 1.16.1 and 1.15.3 Released!
Previous Message PostgreSQL Global Development Group 2022-08-11 13:14:43 PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released!