Описание
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
A flaw was found in the PostgreSQL JDBC Driver. A SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
Отчет
The PostgreSQL JDBC Driver is not affected in the default query mode. Users that do not override the query mode are not impacted. The described SQL injection vulnerability, while significant, is categorized as important rather than critical due to several factors. Firstly, the exploitation relies on specific conditions, including the use of a non-default query mode (preferQueryMode=simple) and the precise arrangement of user-controlled parameters within the SQL query. This limits the potential attack surface and reduces the likelihood of widespread exploitation across systems. Additionally, the vulnerability does not pose an immediate and severe risk of system compromise or data breach; rather, it enables attackers to manipulate SQL queries and potentially execute arbitrary commands within the context of the application's database. Furthermore, the vulnerability can be effectively mitigated by applying the provided patch or by avoiding the use of the vulnerable query mode, thus reducing the risk of exploitation. Red Hat Satellite ships a PostgreSQL JDBC Driver which embeds into Candlepin. However, Candlepin doesn't directly utilize the PostgreSQL JDBC Driver and doesn't set PreferQueryMode. Therefore, although the affected component is shipped, the product impact is considered Low. This issue may be addressed in a future Satellite release.
Меры по смягчению последствий
Do not use the connection propertypreferQueryMode=simple. If you do not explicitly specify a query mode, then you are using the default of extended and are not impacted by this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel 4 for Quarkus 3 | pgjdbc | Will not fix | ||
| Red Hat build of Apache Camel for Spring Boot 3 | pgjdbc | Affected | ||
| Red Hat build of Apicurio Registry 2 | pgjdbc | Not affected | ||
| Red Hat Build of Keycloak | pgjdbc | Affected | ||
| Red Hat build of OptaPlanner 8 | pgjdbc | Will not fix | ||
| Red Hat Enterprise Linux 6 | postgresql-jdbc | Not affected | ||
| Red Hat Enterprise Linux 7 | postgresql-jdbc | Not affected | ||
| Red Hat Enterprise Linux 8 | libreoffice:flatpak/postgresql-jdbc | Will not fix | ||
| Red Hat Enterprise Linux 9 | libreoffice:flatpak/postgresql-jdbc | Will not fix | ||
| Red Hat Fuse 7 | pgjdbc | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...
EPSS
9.8 Critical
CVSS3