PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597

From: JDBC Project via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org>
To: PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org>
Subject: PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597
Date: 2024-02-21 19:40:57
Message-ID: 170854445761.644.17638905410252627290@wrigleys.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-announce

The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597). (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) for the details. Thanks to [Paul Gerste](https://github.com/paul-gerste-sonarsource) for finding and reporting the issue.

Browse pgsql-announce by date

  From Date Subject
Next Message pgagroal via PostgreSQL Announce 2024-02-23 10:40:52 pgagroal 1.6
Previous Message HexaCluster via PostgreSQL Announce 2024-02-21 17:12:19 pg_dumpbinary v2.15 released