=====================================================================

                                    CERT-Renater

                         Note d'Information No. 2022/VULN287

_____________________________________________________________________

DATE                : 25/08/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PostgreSQL JDBC versions
                              to 42.4.1/42.2.26.

=====================================================================
https://www.postgresql.org/message-id/166056971352.655.12904366583007555449%40wrigleys.postgresql.org
_____________________________________________________________________

The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a 
security issue: CVE-2022-31197. This is only an issue if you are using 
ResultSet.refreshRow()


Previously, the column names for both key and data columns in the table 
were copied as-is into the generated SQL. This allowed a malicious table 
with column names that include statement terminator to be parsed and 
executed as multiple separate commands.
More information about this security advisory is available [here]
(https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2)


Thanks to Sho Kato https://github.com/kato-sho for finding and reporting 
the issue


Regards,


pgjdbc team

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================