| From: | Sehrope Sarkuni <sehrope(at)jackdb(dot)com> |
|---|---|
| To: | pgsql-jdbc(at)lists(dot)postgresql(dot)org |
| Cc: | Dave Cramer <davecramer(at)gmail(dot)com> |
| Subject: | Re: Security release CVE-2022-31197 |
| Date: | 2022-08-03 14:35:32 |
| Message-ID: | CAH7T-aqwjmi+Vuc-how2BQKL3aPvgJrKUGZ2S7S1ruS5KvghGA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
This security issue is specific to the PGJDBC implementation of the
ResultSet.refresh() method.
If you are not using that method in your application code then you will not
be impacted.
User applications that do invoke that method are impacted if the underlying
database that they are querying via their JDBC application may be under the
control of an attacker. The attack requires the attacker to trick the
application into executing SQL against a table name who's column names
would contain the malicious SQL and subsequently invoke the refreshRow()
method on the ResultSet.
More information about this security advisory is available here:
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
Regards,
-- Sehrope Sarkuni
Founder & CEO | JackDB, Inc. | https://www.jackdb.com/
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Cramer | 2022-08-03 16:23:03 | [pgjdbc/pgjdbc] f1a93a: bumped version for next release |
| Previous Message | Dave Cramer | 2022-08-03 14:04:49 | Security release CVE-2022-31197 |