[
https://issues.apache.org/jira/browse/IMPALA-13180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Smith resolved IMPALA-13180.
------------------------------------
Fix Version/s: Impala 4.5.0
Resolution: Fixed
> Upgrade postgresql to 42.5.5
> ----------------------------
>
> Key: IMPALA-13180
> URL: https://issues.apache.org/jira/browse/IMPALA-13180
> Project: IMPALA
> Issue Type: Task
> Reporter: Pranav Yogi Lodha
> Assignee: Pranav Yogi Lodha
> Priority: Critical
> Fix For: Impala 4.5.0
>
>
> Upgrade postgresql to 42.5.5 due to CVE-2024-1597
> Affected versions of this package are vulnerable to SQL Injection when using
> {{{}PreferQueryMode=SIMPLE{}}}, which is not the default setting. By passing
> in a numeric value placeholder immediately preceded by a minus and followed
> by a second placeholder for a string value, on the same line, an attacker can
> construct a payload that alters the parameterized query into which it is
> interpolated. This effectively bypasses the protections against SQL Injection
> that parameterized queries offer.
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-6252740]
> [https://github.com/advisories/GHSA-24rp-q3w6-vc56]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
