CVE-2012-1618 — SQL Injection in Postgresql

7 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.9%

top 16.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Postgresql Jdbc Driver

Timeline

PublishedOct 6

Latest updateMay 17

Description

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDpostgresql/postgresql_jdbc_driver8.1

▶NVDpostgresql/postgresql9.1

🔴Vulnerability Details

GHSA

Unescaped parameters in the PostgreSQL JDBC driver↗2022-05-17

▶

OSV

Unescaped parameters in the PostgreSQL JDBC driver↗2022-05-17

▶

CVEList

CVE-2012-1618: Interaction error in the PostgreSQL JDBC driver before 8↗2012-10-06

▶

📋Vendor Advisories

Red Hat

postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters↗2012-03-25

▶

Debian

CVE-2012-1618: libpgjava - Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a Pos...↗2012

▶

💬Community

Bugzilla

CVE-2012-1618 postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters↗2012-03-27

▶