PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597
The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: CVE-2024-1597. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)
SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.