PostgreSQL JDBC Driver up to 42.2.25/42.4.0 java.sql.ResultRow.refreshRow sql injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in PostgreSQL JDBC Driver up to 42.2.25/42.4.0. It has been classified as critical. Affected is the function java.sql.ResultRow.refreshRow. This manipulation causes sql injection.
This vulnerability is tracked as CVE-2022-31197. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
Details
A vulnerability was found in PostgreSQL JDBC Driver up to 42.2.25/42.4.0 (Database Software). It has been declared as critical. Affected by this vulnerability is the function java.sql.ResultRow.refreshRow. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
The weakness was disclosed 08/04/2022 as GHSA-r38f-c4h4-hqq2. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2022-31197 since 05/18/2022. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 213039 (Debian dla-3995 : libpostgresql-jdbc-java - security update), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 42.2.26 or 42.4.1 eliminates this vulnerability. Applying the patch 739e599d52ad80f8dcd6efedc6157859b1a9d637 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (213039). Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Name
Version
- 42.0
- 42.1
- 42.2
- 42.2.0
- 42.2.1
- 42.2.2
- 42.2.3
- 42.2.4
- 42.2.5
- 42.2.6
- 42.2.7
- 42.2.8
- 42.2.9
- 42.2.10
- 42.2.11
- 42.2.12
- 42.2.13
- 42.2.14
- 42.2.15
- 42.2.16
- 42.2.17
- 42.2.18
- 42.2.19
- 42.2.20
- 42.2.21
- 42.2.22
- 42.2.23
- 42.2.24
- 42.2.25
- 42.3
- 42.4.0
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.7VulDB Meta Temp Score: 6.6
VulDB Base Score: 5.0
VulDB Temp Score: 4.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.0
NVD Vector: 🔍
CNA Base Score: 7.1
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Sql injectionCWE: CWE-89 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 213039
Nessus Name: Debian dla-3995 : libpostgresql-jdbc-java - security update
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: PostgreSQL JDBC Driver 42.2.26/42.4.1
Patch: 739e599d52ad80f8dcd6efedc6157859b1a9d637
Timeline
05/18/2022 🔍08/04/2022 🔍
08/04/2022 🔍
11/04/2025 🔍
Sources
Advisory: GHSA-r38f-c4h4-hqq2Status: Confirmed
CVE: CVE-2022-31197 (🔍)
GCVE (CVE): GCVE-0-2022-31197
GCVE (VulDB): GCVE-100-205567
Entry
Created: 08/04/2022 07:55Updated: 11/04/2025 16:31
Changes: 08/04/2022 07:55 (43), 08/30/2022 09:49 (21), 12/16/2024 17:04 (16), 11/04/2025 16:31 (1)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.