CVE-2022-31197

Name of the Vulnerable Software and Affected Versions PostgreSQL JDBC Driver versions prior to 42.2.26 PostgreSQL JDBC Driver versions prior to 42.4.1

Description The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names, allowing a malicious column name that contains a statement terminator, e.g. ;, to lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ResultSet.refreshRow() method are not impacted. User applications that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name whose column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.

Recommendations For versions prior to 42.2.26, upgrade to version 42.2.26 or later. For versions prior to 42.4.1, upgrade to version 42.4.1 or later. As a temporary workaround, consider not using the ResultSet.refreshRow() method. If the ResultSet.refreshRow() method is used, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user.