Bug 2129428 (CVE-2022-31197)
Summary: | CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, anstephe, avibelli, balejosg, bgeorges, boliveir, caolanm, caswilli, chazlett, clement.escoffier, dandread, databases-maint, dkreling, emingora, eric.wittmann, etirelli, fjanus, fmongiar, ggastald, gmalinko, gsmet, hamadhan, hhorak, ibek, janstey, jjanco, jnethert, jochrist, jpavlik, jrokos, jwon, kaycoth, kverlaen, lthon, mkulik, mnovotny, odubaj, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pkubat, praiskup, probinso, pskopek, rguimara, rrajasek, rruss, rsvoboda, sbiarozk, sdouglas, sthorger, tgl, tzimanyi, zmiklank |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | postgresql-jdbc 42.2.26, postgresql-jdbc 42.3.7, postgresql-jdbc 42.4.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-25 11:52:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2129429, 2132869, 2132870, 2132871, 2151113 | ||
Bug Blocks: | 2115177 |
Description
Patrick Del Bello
2022-09-23 18:13:59 UTC
Created postgresql-jdbc tracking bugs for this issue: Affects: fedora-all [bug 2129429] FEDORA-2022-cdeabe1bc0 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.5 Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0318 https://access.redhat.com/errata/RHSA-2023:0318 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-31197 This issue has been addressed in the following products: Red Hat build of Quarkus 2.7.7 Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006 |