Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.
NOTE:
An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
Additionally, applications that do not invoke ResultSet.refreshRow() are not affected.
PoC:
CREATE TABLE refresh_row_example (
id int PRIMARY KEY,
"1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);
Remediation
Upgrade org.postgresql:postgresql to version 42.2.26, 42.4.1 or higher.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection via the
java.sql.ResultRow.refreshRow()function injdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application runResultSet.refreshRow(), to execute code.NOTE:
ResultSet.refreshRow()are not affected.PoC:
Remediation
Upgrade
org.postgresql:postgresqlto version 42.2.26, 42.4.1 or higher.References