bvolpato opened a new issue, #37942: URL: https://github.com/apache/beam/issues/37942
## Summary The PostgreSQL JDBC Driver used by Apache Beam (`42.2.16`) is affected by multiple security vulnerabilities: | CVE | CVSS | Severity | Description | |-----|------|----------|-------------| | [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597) | **9.8** | Critical | SQL injection via `preferQueryMode=simple` | | [CVE-2022-21724](https://www.cve.org/CVERecord?id=CVE-2022-21724) | **9.8** | Critical | Arbitrary code execution via connection property class loading | | [CVE-2022-31197](https://www.cve.org/CVERecord?id=CVE-2022-31197) | **7.1** | High | SQL injection in `ResultSet.refreshRow()` | ## Proposed Fix Upgrade `postgres_version` from `42.2.16` to `42.7.10` in `BeamModulePlugin.groovy`. The PostgreSQL JDBC Driver maintains full JDBC 4.2 API backward compatibility across all 42.x releases. The changes between these versions are internal security and bug fixes with no public API changes. ## References - https://jdbc.postgresql.org/security/ - https://www.postgresql.org/about/news/postgresql-jdbc-4272-4261-4255-4244-4239-42228-and-42228jre7-security-update-for-cve-2024-1597-2812/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
