Skip to main content

Postgresql Jdbc Driver

8 CVEs product

Monthly

CVE-2026-42198 Maven HIGH PATCH GHSA This Week

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

PostgreSQL Denial Of Service Postgresql Jdbc Driver
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-49146 Maven HIGH PATCH This Week

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

PostgreSQL Authentication Bypass Java Postgresql Jdbc Driver Red Hat +1
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2022-41946 Maven MEDIUM POC PATCH This Month

pgjdbc is an open source postgresql JDBC Driver. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Apple Java PostgreSQL Postgresql Jdbc Driver +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2022-31197 Maven HIGH POC PATCH This Week

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PostgreSQL SQLi Java Postgresql Jdbc Driver Debian Linux +1
NVD GitHub
CVSS 3.1
8.0
EPSS
1.7%
CVE-2022-26520 Maven CRITICAL PATCH Act Now

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Information Disclosure Postgresql Jdbc Driver Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-13692 Maven HIGH PATCH This Week

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PostgreSQL XXE Postgresql Jdbc Driver Quarkus Steelstore Cloud Integrated Storage +2
NVD GitHub
CVSS 3.1
7.7
EPSS
4.1%
CVE-2018-10936 Maven HIGH PATCH This Week

A weakness was found in postgresql-jdbc before version 42.2.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Postgresql Jdbc Driver Enterprise Linux
NVD
CVSS 3.0
8.1
EPSS
2.9%
CVE-2012-1618 Maven HIGH PATCH This Week

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Postgresql Jdbc Driver
NVD
CVSS 2.0
7.5
EPSS
1.9%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

PostgreSQL Denial Of Service Postgresql Jdbc Driver
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

PostgreSQL Authentication Bypass Java +3
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

pgjdbc is an open source postgresql JDBC Driver. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Apple Java +3
NVD GitHub
EPSS 2% CVSS 8.0
HIGH POC PATCH This Week

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PostgreSQL SQLi Java +3
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Information Disclosure Postgresql Jdbc Driver +1
NVD GitHub
EPSS 4% CVSS 7.7
HIGH PATCH This Week

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PostgreSQL XXE Postgresql Jdbc Driver +4
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

A weakness was found in postgresql-jdbc before version 42.2.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Postgresql Jdbc Driver +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Postgresql Jdbc Driver
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy