PostgreSQL JDBC Driver Vulnerability

Our latest vuln scan caught some JDBC driver vulns
Just wondering if this is on the radar for a release.
See more info below
We are on 3.43.0-01.
I looked through release notes for the later versions, and not seeing mention of this patch.

Also, we are not using the postsql db.
If we are not using it, and rename or move it as a temp work-around, will it error?
I was just wonder if there are dependencies for it

The remote host contains a database access library that contains an information disclosure vulnerability.

The remote host contains a version of PostgreSQL JDBC Driver that is 42.2.x prior to 42.2.27, 42.3.x prior to 42.3.8, 42.4.x prior to 42.4.3 or 42.5.x prior to 42.5.1. It is, therefore, affected by an information disclosure vulnerability. SQL queries using prepared statements that total more than 51 kilobytes will be written to the system temporary directory where they can be read by any local user of the system.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

Upgrade to PostgreSQL JDBC Driver version 42.2.27, 42.3.8, 42.4.3, 42.5.1, or later

See Also:

Plugin Output:
Path : /srv/nexus-3.43.0-01/system/org/postgresql/postgresql/42.4.1/postgresql-42.4.1.jar
Installed version : 42.4.1
Fixed version : 42.4.3|

Thanks for posting, @rclemens. We do monitor our dependencies on a continuous basis with Lifecycle, and we consider all identified vulnerabilities as potentially exploitable. Accordingly, they’re all in a queue to get remediated.

We don’t call out dependency version upgrades specifically in the release notes, there’s a more or less continuous stream of them. 3.43 is a few months old, and there will be several dependency upgrades in the latest release (3.47.1). Specifically, the PostgreSQL driver was updated back in December.

1 Like