CVE-2022-31197 — SQL Injection in Postgresql Jdbc Driver
Severity
8.0HIGHNVD
CNA7.1VulnCheck7.1
EPSS
3.6%
top 12.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 3
Latest updateJul 15
Description
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `Resul…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9
Affected Packages2 packages
Also affects: Debian Linux 10.0, Fedora 35, 36
Patches
🔴Vulnerability Details
5GHSA▶
PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names↗2022-08-06
OSV▶
PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names↗2022-08-06
OSV▶
CVE-2022-31197: PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code↗2022-08-03
VulnCheck▶
postgresql postgresql_jdbc_driver Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2022