Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade PostgreSQL JDBC Driver to at least 42.3.9 to fix 1 critical and 2 moderate CVE #129

Closed
jasperbogers opened this issue Mar 6, 2024 · 1 comment
Closed

Upgrade PostgreSQL JDBC Driver to at least 42.3.9 to fix 1 critical and 2 moderate CVE #129

jasperbogers opened this issue Mar 6, 2024 · 1 comment
Labels
type: dependency-upgrade
Milestone
2.0.7

Comments

@jasperbogers
Copy link

The following CVE are found in io.zonky.test/embedded-postgres/2.0.6

(Critical)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1597
GHSA-24rp-q3w6-vc56

(Moderate)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31197
GHSA-r38f-c4h4-hqq2

(Moderate)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41946
GHSA-562r-vg33-8x8h

Cause
These vulnerabilities are due to a dependency in pom.xml on org.postgresql:postgresql version 42.3.5

How to fix?
Upgrade org.postgresql:postgresql to version 42.3.9 (highest at the time of writing).
@tomix26
Copy link
Collaborator

tomix26 commented Mar 18, 2024

Thank you for the report.

@tomix26 tomix26 added this to the 2.0.7 milestone Mar 18, 2024
lesiak added a commit to lesiak/embedded-postgres that referenced this issue Mar 29, 2024
@lesiak
zonkyio#129 Upgrade postgresql driver to 42.7.3
e1451b9 
CVE-2024-1597 [High 10.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
CVE-2022-31197 [High 8.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
CVE-2022-41946 [Medium 5.5] Exposure of Sensitive Information to an Unauthorized Actor vulnerability
lesiak added a commit to lesiak/embedded-postgres that referenced this issue Mar 29, 2024
@lesiak
zonkyio#129 Upgrade postgresql driver to 42.7.3
577e46a 
- CVE-2024-1597 [High 10.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
- CVE-2022-31197 [High 8.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
- CVE-2022-41946 [Medium 5.5] Exposure of Sensitive Information to an Unauthorized Actor vulnerability
lesiak added a commit to lesiak/embedded-postgres that referenced this issue Mar 29, 2024
@lesiak
zonkyio#129 Upgrade postgresql driver to 42.7.3
65cb71e 
Fixes:
- CVE-2024-1597 [High 10.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
- CVE-2022-31197 [High 8.0] Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability
- CVE-2022-41946 [Medium 5.5] Exposure of Sensitive Information to an Unauthorized Actor vulnerability
lesiak added a commit to lesiak/embedded-postgres that referenced this issue Mar 29, 2024
@lesiak
zonkyio#129 Upgrade postgresql driver to 42.7.3
93ebb2a 
Fixes:
- CVE-2024-1597 [Critical] SQL Injection via line comment generation
- CVE-2022-31197 [High]  SQL Injection in ResultSet.refreshRow() with malicious column names
- CVE-2022-41946 [Medium] TemporaryFolder on unix-like systems does not limit access to created files
@tomix26 tomix26 closed this as completed Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: dependency-upgrade
Projects
None yet
Milestone
2.0.7
Development

No branches or pull requests
2 participants
@jasperbogers @tomix26