Showing 1 - 4 of 4

CVE-2022-31197

Status Candidate

Overview

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

Related Files

Red Hat Security Advisory 2023-1006-01: Posted Mar 9, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-1006-01 - This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include code execution, denial of service, deserialization, information leakage, memory leak, and remote SQL injection vulnerabilities.; tags | advisory, remote, denial of service, vulnerability, code execution, sql injection, memory leak; systems | linux, redhat; advisories | CVE-2022-1471, CVE-2022-31197, CVE-2022-3171, CVE-2022-41946, CVE-2022-41966, CVE-2022-42003, CVE-2022-42004, CVE-2022-42889, CVE-2023-0044; SHA-256 | 22e7b3eb2e44fe047c265d427baa95d5cd894dbe2e83f35b2ba2c51d7269e2f5; Download | Favorite | View

Red Hat Security Advisory 2023-0318-01: Posted Jan 24, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-0318-01 - PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Issues addressed include a remote SQL injection vulnerability.; tags | advisory, java, remote, sql injection; systems | linux, redhat; advisories | CVE-2022-31197; SHA-256 | 22201fd8d9418dc89e4bec16f336c3b0d0b87e9c1e1960d290e6060c48728e31; Download | Favorite | View

Red Hat Security Advisory 2022-9023-01: Posted Dec 15, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-9023-01 - This release of Red Hat build of Quarkus 2.13.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include denial of service and remote SQL injection vulnerabilities.; tags | advisory, remote, denial of service, vulnerability, sql injection; systems | linux, redhat; advisories | CVE-2022-31197, CVE-2022-3171, CVE-2022-37734, CVE-2022-4116, CVE-2022-4147, CVE-2022-42003, CVE-2022-42004, CVE-2022-42889; SHA-256 | df6b37e9380bd4d9840f228c66d0517e1bce9318d82620afe02d2b5655495e78; Download | Favorite | View

Red Hat Security Advisory 2022-8652-01: Posted Nov 29, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.; tags | advisory, remote, denial of service, vulnerability, xss, sql injection; systems | linux, redhat; advisories | CVE-2019-8331, CVE-2021-31684, CVE-2021-3717, CVE-2021-44906, CVE-2022-0613, CVE-2022-2048, CVE-2022-2053, CVE-2022-24723, CVE-2022-24785, CVE-2022-24823, CVE-2022-25857, CVE-2022-31129, CVE-2022-31197, CVE-2022-33980; SHA-256 | b89385857db68f0aa348c05a9ddb89d72cf0040803429d98b23d91abba728434; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 292 files
Ubuntu 62 files
Gentoo 32 files
Debian 31 files
LiquidWorm 10 files
Apple 9 files
malvuln 7 files
Ahmet Umit Bayram 4 files
nu11secur1ty 4 files
Adam Gowdiak 4 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,038)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,588)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,751)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,492)
UNIX (9,397)
UnixWare (187)
Windows (6,658)
Other

CVE-2022-31197

Overview

Related Files

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems