Bitnami package
postgresql-jdbc-driver
pkg:bitnami/postgresql-jdbc-driver
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42198 | Hig | 7.5 | >= 42.2.0, < 42.7.11 | 42.7.11 | Apr 29, 2026 | pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg | |
| CVE-2025-49146 | — | >= 42.7.4, < 42.7.7 | 42.7.7 | Jun 11, 2025 | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that | ||
| CVE-2024-1597 | — | < 42.2.28 | 42.2.28 | Feb 19, 2024 | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh | ||
| CVE-2022-41946 | — | >= 42.2.0, < 42.2.27 | 42.2.27 | Nov 23, 2022 | pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will crea | ||
| CVE-2022-31197 | — | < 42.2.26 | 42.2.26 | Aug 3, 2022 | PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious c | ||
| CVE-2022-26520 | — | >= 42.1.0, < 42.1.5 | 42.1.5 | Mar 7, 2022 | In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP | ||
| CVE-2022-21724 | — | < 42.2.25 | 42.2.25 | Feb 2, 2022 | pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin | ||
| CVE-2020-13692 | — | < 42.2.13 | 42.2.13 | Jun 4, 2020 | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. |
- affected >= 42.2.0, < 42.7.11fixed 42.7.11
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg
- CVE-2025-49146Jun 11, 2025affected >= 42.7.4, < 42.7.7fixed 42.7.7
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that
- CVE-2024-1597Feb 19, 2024affected < 42.2.28fixed 42.2.28
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh
- CVE-2022-41946Nov 23, 2022affected >= 42.2.0, < 42.2.27fixed 42.2.27
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will crea
- CVE-2022-31197Aug 3, 2022affected < 42.2.26fixed 42.2.26
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious c
- CVE-2022-26520Mar 7, 2022affected >= 42.1.0, < 42.1.5fixed 42.1.5
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP
- CVE-2022-21724Feb 2, 2022affected < 42.2.25fixed 42.2.25
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin
- CVE-2020-13692Jun 4, 2020affected < 42.2.13fixed 42.2.13
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.