Our latest vuln scan caught some JDBC driver vulns
Just wondering if this is on the radar for a release.
See more info below
We are on 3.43.0-01.
I looked through release notes for the later versions, and not seeing mention of this patch.
Also, we are not using the postsql db.
If we are not using it, and rename or move it as a temp work-around, will it error?
I was just wonder if there are dependencies for it
The remote host contains a database access library that contains an information disclosure vulnerability.
The remote host contains a version of PostgreSQL JDBC Driver that is 42.2.x prior to 42.2.27, 42.3.x prior to 42.3.8, 42.4.x prior to 42.4.3 or 42.5.x prior to 42.5.1. It is, therefore, affected by an information disclosure vulnerability. SQL queries using prepared statements that total more than 51 kilobytes will be written to the system temporary directory where they can be read by any local user of the system.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
Upgrade to PostgreSQL JDBC Driver version 42.2.27, 42.3.8, 42.4.3, 42.5.1, or later
Path : /srv/nexus-3.43.0-01/system/org/postgresql/postgresql/42.4.1/postgresql-42.4.1.jar
Installed version : 42.4.1
Fixed version : 42.4.3|