SCA: security update for org.postgresql:postgresql (GHSA-r38f-c4h4-hqq2)

high Tenable Self-Hosted Container Security Plugin ID 418451

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using
standard, database independent Java code. The PGJDBC implementation of the
`java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column
name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to
executing additional SQL commands as the application's JDBC user. User applications that do not invoke the
`ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted
if the underlying database that they are querying via their JDBC application may be under the control of
an attacker. The attack requires the attacker to trick the user into executing SQL against a table name
who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on
the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC
application that executes as a privileged user querying database schemas owned by potentially malicious
less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to
craft a schema that causes the application to execute commands as the privileged user. Patched versions
will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds
for this issue. (CVE-2022-31197)

See Also

https://github.com/advisories/GHSA-r38f-c4h4-hqq2

Plugin Details

Severity: High

ID: 418451

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-31197

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/6/2022

Vulnerability Publication Date: 8/3/2022

Reference Information

CVE: CVE-2022-31197

cwe: CWE-89