CVE-2022-31197 : PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a P

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

Published 2022-08-03 19:15:09

Updated 2023-02-06 14:30:16

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2022-31197

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Postgresql » Postgresql Jdbc Driver
Versions from including (>=) 42.3.0 and before (<) 42.3.7
cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*
Matching versions
Postgresql » Postgresql Jdbc Driver
Versions before (<) 42.2.26
cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*
Matching versions
Postgresql » Postgresql Jdbc Driver » Version: 42.4.0
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.0:-:*:*:*:*:*:*
Matching versions
Postgresql » Postgresql Jdbc Driver » Version: 42.4.0 Update RC1
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.0:rc1:*:*:*:*:*:*
Matching versions
Postgresql » Postgresql Jdbc Driver » Version: 42.4.1 Update RC1
cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.4.1:rc1:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31197

EPSS FAQ

0.68%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31197

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.0	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	2.1	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H	1.2	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-31197

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-31197

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2

SQL Injection in ResultSet.refreshRow() with malicious column names · Advisory · pgjdbc/pgjdbc · GitHub
Exploit;Third Party Advisory
https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637

Merge pull request from GHSA-r38f-c4h4-hqq2 · pgjdbc/pgjdbc@739e599 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/

[SECURITY] Fedora 36 Update: postgresql-jdbc-42.3.1-4.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/

[SECURITY] Fedora 35 Update: postgresql-jdbc-42.2.26-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html

[SECURITY] [DLA 3140-1] libpgjava security update
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-31197

Products affected by CVE-2022-31197

Exploit prediction scoring system (EPSS) score for CVE-2022-31197

CVSS scores for CVE-2022-31197

CWE ids for CVE-2022-31197

References for CVE-2022-31197