[SNYK: HIGH] org.postgresql:postgresql SQL Injection (Due 2022-09-17)

[rfultz]

What we’re after

SNYK flagged a vulnerability, org.postgresql:postgresql SQL Injection

Introduced through org.flywaydb:[email protected]
Fixed in org.postgresql:[email protected], @42.4.1

Detailed paths and remediation
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › org.postgresql:[email protected]
Fix: Upgrade to org.flywaydb:[email protected]

Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.

NOTE:

An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.

Additionally, applications that do not invoke ResultSet.refreshRow() are not affected.

Action item(s)

(These are the smaller tasks that should happen in order to complete this work)

• [ ]

Completion criteria

• SNYK no longer flags this as a vulnerability, or
• We've determined that this isn't an issue and we've documented that

References/resources/technical considerations

[JonellaCulmer]

Closing this because the work has been merged.