Kato-Sho

**Name of the Vulnerable Software and Affected Versions** PostgreSQL JDBC Driver versions prior to 42.2.26 PostgreSQL JDBC Driver versions prior to 42.4.1 **Description** The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names, allowing a malicious column name that contains a statement terminator, e.g. `;`, to lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User applications that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name whose column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. **Recommendations** For versions prior to 42.2.26, upgrade to version 42.2.26 or later. For versions prior to 42.4.1, upgrade to version 42.4.1 or later. As a temporary workaround, consider not using the `ResultSet.refreshRow()` method. If the `ResultSet.refreshRow()` method is used, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user.