CVE-2022-31197
SQL Injection vulnerability in postgresql (Maven)
What is CVE-2022-31197 About?
This vulnerability is a SQL Injection flaw in the PGJDBC driver's `refreshRow()` method, arising from improper escaping of column names. Attackers can execute arbitrary SQL commands as the application's JDBC user, making it a high-impact issue that requires specific conditions and user interaction to exploit.
Affected Software
- org.postgresql:postgresql
- >42.4.0, <42.4.1
- <42.2.26
- >42.3.0, <42.3.7
Technical Details
The PGJDBC implementation of java.sql.ResultRow.refreshRow() does not properly escape column names. If a database under an attacker's control contains a table with a maliciously crafted column name (e.g., containing a statement terminator like ; followed by additional SQL commands), and a user application queries this table and subsequently invokes ResultSet.refreshRow(), the unescaped column name will be injected into the dynamically constructed SQL query. This allows the attacker to execute arbitrary SQL commands within the context of the application's JDBC user, potentially leading to data manipulation or privilege escalation, even though direct data exfiltration via refreshRow() might be prevented by exceptions.
What is the Impact of CVE-2022-31197?
Successful exploitation may allow attackers to execute arbitrary SQL commands, compromise database integrity, or access sensitive information.
What is the Exploitability of CVE-2022-31197?
Exploitation is complex and requires several prerequisites. The vulnerable application must invoke the ResultSet.refreshRow() method. Critically, the application must connect to an underlying database where an attacker has the ability to control or influence schema definition (e.g., create tables with malicious column names). Authentication to the application and potentially the database is required. Privilege requirements against the database involve the ability to create tables or modify schema. This is a local vulnerability in the sense that the attack is against the application's interaction with the database, but it can be triggered by a remote attacker if they can control the database schema. Special conditions include the attacker needing to trick a user into querying a specially crafted table and then invoking refreshRow(). Risk factors increase if the application connects to externally controlled or multi-tenant database environments where untrusted users can influence schema definitions, especially if the application runs with high privileges.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-31197?
Available Upgrade Options
- org.postgresql:postgresql
- <42.2.26 → Upgrade to 42.2.26
- org.postgresql:postgresql
- >42.3.0, <42.3.7 → Upgrade to 42.3.7
- org.postgresql:postgresql
- >42.4.0, <42.4.1 → Upgrade to 42.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/
- https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP
- https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S
- https://nvd.nist.gov/vuln/detail/CVE-2022-31197
- https://osv.dev/vulnerability/GHSA-r38f-c4h4-hqq2
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
What are Similar Vulnerabilities to CVE-2022-31197?
Similar Vulnerabilities: CVE-2021-2470 , CVE-2019-2729 , CVE-2020-28052 , CVE-2020-17049 , CVE-2021-39294
