PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the postgresql-jdbc-42.2.18-6.el9 build changelog.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2023:0318 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2023:0318 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2023-0318 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2023:0318 advisory.

  - postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-cdeabe1bc0 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-d7d49b2fac advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the postgresql-jdbc package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3613-1 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3140 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3541-1 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3537-1 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the aeb4c85b-3600-11ed-b52d-589cfc007716 advisory.

  - PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using     standard, database independent Java code. The PGJDBC implementation of the     `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column     name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to     executing additional SQL commands as the application's JDBC user. User applications that do not invoke the     `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted     if the underlying database that they are querying via their JDBC application may be under the control of     an attacker. The attack requires the attacker to trick the user into executing SQL against a table name     who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on     the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC     application that executes as a privileged user querying database schemas owned by potentially malicious     less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to     craft a schema that causes the application to execute commands as the privileged user. Patched versions     will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds     for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191194	CentOS 9 : postgresql-jdbc-42.2.18-6.el9	Nessus	CentOS Local Security Checks	high
184951	Rocky Linux 9 : postgresql-jdbc (RLSA-2023:0318)	Nessus	Rocky Linux Local Security Checks	high
170571	AlmaLinux 9 : postgresql-jdbc (ALSA-2023:0318)	Nessus	Alma Linux Local Security Checks	high
170537	Oracle Linux 9 : postgresql-jdbc (ELSA-2023-0318)	Nessus	Oracle Linux Local Security Checks	high
170407	RHEL 9 : postgresql-jdbc (RHSA-2023:0318)	Nessus	Red Hat Local Security Checks	high
169227	Fedora 35 : postgresql-jdbc (2022-cdeabe1bc0)	Nessus	Fedora Local Security Checks	high
169095	Fedora 36 : postgresql-jdbc (2022-d7d49b2fac)	Nessus	Fedora Local Security Checks	high
168515	EulerOS 2.0 SP8 : postgresql-jdbc (EulerOS-SA-2022-2803)	Nessus	Huawei Local Security Checks	high
166248	SUSE SLES15 Security Update : postgresql-jdbc (SUSE-SU-2022:3613-1)	Nessus	SuSE Local Security Checks	high
165784	Debian DLA-3140-1 : libpgjava - LTS security update	Nessus	Debian Local Security Checks	high
165755	SUSE SLES12 Security Update : postgresql-jdbc (SUSE-SU-2022:3541-1)	Nessus	SuSE Local Security Checks	high
165750	SUSE SLES15 Security Update : postgresql-jdbc (SUSE-SU-2022:3537-1)	Nessus	SuSE Local Security Checks	high
165223	FreeBSD : puppetdb -- Potential SQL injection (aeb4c85b-3600-11ed-b52d-589cfc007716)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-31197

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high