CVE-2012-1618

Description

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.

How to fix CVE-2012-1618

To remediate CVE-2012-1618, upgrade the affected package to a fixed version below.

• —upgrade to 8.2 or later

Is CVE-2012-1618 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 8.2

References (14)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-1618
• PATCHgithub.com/pgjdbc/pgjdbc
• WEBarchives.neohapsis.com/archives/bugtraq/2012-03/0126.html
• WEBlists.opensuse.org/opensuse-security/2012-03/msg00024.html
• WEB