Обсуждение: Security release CVE-2022-31197
Greetings,
We have released 42.2.26 and 42.4.1 to address a security issue.
Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
Thanks to Sho Kato https://github.com/kato-sho for finding and reporting the issue
Regards,
pgjdbc team
This security issue is specific to the PGJDBC implementation of the ResultSet.refresh() method.
If you are not using that method in your application code then you will not be impacted.
User applications that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the application into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.
More information about this security advisory is available here: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
If you are not using that method in your application code then you will not be impacted.
User applications that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the application into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.
More information about this security advisory is available here: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2