{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the \"standard_conforming_strings\" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2012-10-06T22:00:00Z"}, "references": [{"name": "[oss-security] 20120330 postgresql-jdbc 8.1 SQL injection with postgresql server 9.1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/03/30/9"}, {"name": "[oss-security] 20120402 Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/02/4"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.novell.com/show_bug.cgi?id=754273"}, {"name": "[oss-security] 20120404 Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/9"}, {"name": "80641", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/80641"}, {"name": "[opensuse-security] 20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html"}, {"name": "[oss-security] 20120404 Re: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/5"}, {"name": "[oss-security] 20120404 Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/4"}, {"name": "[oss-security] 20120330 CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/03/30/8"}, {"name": "[oss-security] 20120404 Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/11"}, {"name": "[oss-security] 20120331 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/03/31/1"}, {"name": "20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:01:02.736Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20120330 postgresql-jdbc 8.1 SQL injection with postgresql server 9.1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/03/30/9"}, {"name": "[oss-security] 20120402 Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/02/4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.novell.com/show_bug.cgi?id=754273"}, {"name": "[oss-security] 20120404 Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/9"}, {"name": "80641", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/80641"}, {"name": "[opensuse-security] 20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html"}, {"name": "[oss-security] 20120404 Re: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/5"}, {"name": "[oss-security] 20120404 Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/4"}, {"name": "[oss-security] 20120330 CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/03/30/8"}, {"name": "[oss-security] 20120404 Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/04/11"}, {"name": "[oss-security] 20120331 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/03/31/1"}, {"name": "20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-1618", "state": "PUBLISHED", "dateReserved": "2012-03-12T00:00:00Z", "datePublished": "2012-10-06T22:00:00Z", "dateUpdated": "2024-08-06T19:01:02.736Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "4796DBEC-FF4F-4749-90D5-AD83D8B5E086", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql_jdbc_driver:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "DED4E7FC-62C2-42F6-A081-3DB36E35D90C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the \"standard_conforming_strings\" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005."}, {"lang": "es", "value": "Error de interacci\u00f3n en el controlador PostgreSQL JDBC anteriores a v8.2, cuando se usa con el servidor PostgreSQL con la opci\u00f3n \"standard_conforming_strings\" activa, como la configuraci\u00f3n por defecto de PostgreSQL v9.1, no \"escapa\" de forma adecuada par\u00e1metros JDBC de declaraci\u00f3n, lo que permite a atacantes remotos a efectuar ataques de inyecci\u00f3n SQL. NOTA: se afirm\u00f3 que el desarrollador original planeaba discutir ese punto, pero una disputa oficial no ha sido publicada a partir de 20121005."}], "id": "CVE-2012-1618", "lastModified": "2024-11-21T01:37:20.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-10-06T22:55:01.697", "references": [{"source": "secalert@redhat.com", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/03/30/8"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/03/30/9"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/03/31/1"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/02/4"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/11"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/4"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/5"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/9"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/80641"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.novell.com/show_bug.cgi?id=754273"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/03/30/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/03/30/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/03/31/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/02/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/04/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/80641"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.novell.com/show_bug.cgi?id=754273"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters", "id": "807394", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=807394"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the \"standard_conforming_strings\" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005."], "name": "CVE-2012-1618", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "postgresql-jdbc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "postgresql-jdbc", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2012-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-1618\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-1618"], "statement": "The upstream development team of the JDBC driver for the PostgreSQL database does not consider improper escaping of certain JDBC statement / query parameters, when the JDBC driver of version older than the version of underlying PostgresSQL server is being used, to be a security defect. In general, the JDBC driver for the PostgreSQL database does not promise to work with server releases newer than the driver release. The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw."}