Quick Links

Security release CVE-2022-31197

From:	Dave Cramer <davecramer(at)gmail(dot)com>
To:	pgsql-jdbc(at)lists(dot)postgresql(dot)org
Subject:	Security release CVE-2022-31197
Date:	2022-08-03 14:04:49
Message-ID:	CADK3HH+zHr3NDN-GgyHTc38nbKPJ620pA9kR_nt0gq2JrCw8cw@mail.gmail.com
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-jdbc

Greetings,

We have released 42.2.26 and 42.4.1 to address a security issue.

Previously, the column names for both key and data columns in the table
were copied as-is into the generated SQL. This allowed a malicious table
with column names that include statement terminator to be parsed and
executed as multiple separate commands.

Thanks to Sho Kato https://github.com/kato-sho for finding and reporting
the issue

Regards,

pgjdbc team

Responses

Re: Security release CVE-2022-31197 at 2022-08-03 14:35:32 from Sehrope Sarkuni

Browse pgsql-jdbc by date

	From	Date	Subject
Next Message	Sehrope Sarkuni	2022-08-03 14:35:32	Re: Security release CVE-2022-31197
Previous Message	Dave Cramer	2022-08-03 13:22:03	[pgjdbc/pgjdbc]