cve-2022-31197
Vulnerability from cvelistv5
Published
2022-08-03 00:00
Modified
2024-08-03 07:11
Summary
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.725Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637"
          },
          {
            "name": "FEDORA-2022-d7d49b2fac",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/"
          },
          {
            "name": "FEDORA-2022-cdeabe1bc0",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/"
          },
          {
            "name": "[debian-lts-announce] 20221008 [SECURITY] [DLA 3140-1] libpgjava security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pgjdbc",
          "vendor": "pgjdbc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 42.2.0, \u003c 42.2.26"
            },
            {
              "status": "affected",
              "version": "\u003e= 42.3.0, \u003c 42.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application\u0027s JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who\u0027s column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application\u0027s JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-08T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"
        },
        {
          "url": "https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637"
        },
        {
          "name": "FEDORA-2022-d7d49b2fac",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/"
        },
        {
          "name": "FEDORA-2022-cdeabe1bc0",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/"
        },
        {
          "name": "[debian-lts-announce] 20221008 [SECURITY] [DLA 3140-1] libpgjava security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html"
        }
      ],
      "source": {
        "advisory": "GHSA-r38f-c4h4-hqq2",
        "discovery": "UNKNOWN"
      },
      "title": "SQL Injection in ResultSet.refreshRow() with malicious column names in pgjdbc"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31197",
    "datePublished": "2022-08-03T00:00:00",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:11:39.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31197\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-08-03T19:15:08.630\",\"lastModified\":\"2024-11-21T07:04:06.317\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application\u0027s JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who\u0027s column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application\u0027s JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.\"},{\"lang\":\"es\",\"value\":\"El controlador JDBC de PostgreSQL (PgJDBC para abreviar) permite a los programas Java conectarse a una base de datos PostgreSQL usando c\u00f3digo Java est\u00e1ndar e independiente de la base de datos. La implementaci\u00f3n de PGJDBC del m\u00e9todo \\\"java.sql.ResultRow.refreshRow()\\\" no realiza el escape de los nombres de las columnas, por lo que un nombre de columna malicioso que contenga un terminador de sentencia, por ejemplo \\\";\\\", podr\u00eda conllevar una inyecci\u00f3n SQL. Esto podr\u00eda conllevar a una ejecuci\u00f3n de comandos SQL adicionales como usuario JDBC de la aplicaci\u00f3n. Las aplicaciones de usuario que no invocan el m\u00e9todo \\\"ResultSet.refreshRow()\\\" no est\u00e1n afectadas. Las aplicaciones de usuario que s\u00ed invocan ese m\u00e9todo est\u00e1n afectadas si la base de datos subyacente que est\u00e1n consultando por medio de su aplicaci\u00f3n JDBC puede estar bajo el control de un atacante. El ataque requiere que el atacante enga\u00f1e al usuario para que ejecute SQL contra un nombre de tabla cuyos nombres de columna contengan el SQL malicioso y posteriormente invoque el m\u00e9todo \\\"refreshRow()\\\" en el ResultSet. Tenga en cuenta que el usuario JDBC de la aplicaci\u00f3n y el propietario del esquema no tienen por qu\u00e9 ser el mismo. Una aplicaci\u00f3n JDBC que es ejecutado como un usuario privilegiado consultando esquemas de base de datos que pertenecen a usuarios menos privilegiados potencialmente maliciosos ser\u00eda vulnerable. En esta situaci\u00f3n, el usuario malicioso podr\u00eda dise\u00f1ar un esquema que causara que la aplicaci\u00f3n ejecutara comandos como el usuario privilegiado. Las versiones parcheadas ser\u00e1n publicadas como \\\"42.2.26\\\" y \\\"42.4.1\\\". Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"42.2.26\",\"matchCriteriaId\":\"A4B4125F-2B70-4892-85C9-6226E5CD21C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"42.3.0\",\"versionEndExcluding\":\"42.3.7\",\"matchCriteriaId\":\"646150E7-E010-4542-AA3D-EEC004B6DDCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD82823E-2E47-443C-B931-FBD07CE2EAF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7033FDFD-F6C7-4222-B7F5-CFDD767F6B93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C99075C4-A49C-4ED5-9208-9B397094E476\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.