Vulnerability Details : CVE-2012-1618
Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.
Vulnerability category: Sql Injection
Products affected by CVE-2012-1618
- cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql_jdbc_driver:8.1:*:*:*:*:*:*:*
Threat overview for CVE-2012-1618
Top countries where our scanners detected CVE-2012-1618
Top open port discovered on systems with this issue
5432
IPs affected by CVE-2012-1618 11,560
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-1618!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-1618
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-1618
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2012-1618
-
http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html
-
http://www.openwall.com/lists/oss-security/2012/04/04/9
oss-security - Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
-
http://www.openwall.com/lists/oss-security/2012/04/04/11
oss-security - Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
-
http://www.openwall.com/lists/oss-security/2012/03/30/8
oss-security - CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
-
http://www.openwall.com/lists/oss-security/2012/03/30/9
oss-security - postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
-
http://www.openwall.com/lists/oss-security/2012/04/04/5
oss-security - Re: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
-
https://bugzilla.novell.com/show_bug.cgi?id=754273
Bug 754273 – VUL-0: postgresql-jdbc: SQL injection
-
http://www.openwall.com/lists/oss-security/2012/04/02/4
oss-security - Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
-
http://www.openwall.com/lists/oss-security/2012/04/04/4
oss-security - Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
-
http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html
[opensuse-security] SQL injection attack possible when connecting to Pos
-
http://www.openwall.com/lists/oss-security/2012/03/31/1
oss-security - SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver
Jump to