Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Postgresql_jdbc_driver
(Postgresql)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 8 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-02-19 | CVE-2024-1597 | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that... | Fedora, Postgresql_jdbc_driver | 9.8 | ||
| 2022-03-10 | CVE-2022-26520 | In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties | Debian_linux, Postgresql_jdbc_driver | 9.8 | ||
| 2022-11-23 | CVE-2022-41946 | pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files... | Debian_linux, Postgresql_jdbc_driver | 5.5 | ||
| 2012-10-06 | CVE-2012-1618 | Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005. | Postgresql, Postgresql_jdbc_driver | N/A | ||
| 2018-08-30 | CVE-2018-10936 | A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA. | Postgresql_jdbc_driver, Enterprise_linux | 8.1 | ||
| 2020-06-04 | CVE-2020-13692 | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | Debian_linux, Fedora, Steelstore_cloud_integrated_storage, Postgresql_jdbc_driver, Quarkus | 7.7 | ||
| 2022-02-02 | CVE-2022-21724 | pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if... | Debian_linux, Fedora, Postgresql_jdbc_driver, Quarkus | 9.8 | ||
| 2022-08-03 | CVE-2022-31197 | PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the... | Debian_linux, Fedora, Postgresql_jdbc_driver | 8.0 |