Vulnerabilities > CVE-2012-1618 - Unspecified vulnerability in Postgresql and Postgresql Jdbc Driver

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
postgresql
NVD
Published: 2012-10-06
Updated: 2023-11-07

Summary

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.

Vulnerable Configurations

Part Description Count
Application
Postgresql
2

Seebug

bulletinFamilyexploit
descriptionCVE ID: CVE-2012-1618 PostgreSQL JDBC驱动程序可允许Java程序连接到PostgreSQL数据库。 PostgreSQL JDBC 8.2之前版本结合使用启用了"standard_conforming_strings"选项的PostgreSQL服务器时存在交互错误,无法正确转义某些JDBC语句参数,可允许远程攻击者执行SQL注入攻击。 0 PostgreSQL JDBC Driver < 8.2 厂商补丁: PostgreSQL ---------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.postgresql.org
idSSV:60423
last seen2017-11-19
modified2012-10-10
published2012-10-10
reporterRoot
titlePostgreSQL JDBC驱动程序交互错误SQL注入攻击漏洞

References