Question:
Does the PostgreSQL vulnerability CVE-2025-1094 impact myQA iON?
Answer:
On February 13, 2025, the PostgreSQL project published an alert regarding a serious vulnerability. SQL injection can be achieved when the application uses the PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), PQescapeStringConn() to construct input to psql, the PostgreSQL interactive terminal.
PostgreSQL versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
All currently released versions (2.1 and lower) of the myQA iON application integrate an affected version of PostgreSQL. However, myQA iON remains safe to use as it does not rely on the four impacted libpq functions. As best practice, we recommend our users to check their firewall and PostgreSQL configuration to make sure the database is not accessible outside of the myQA iON server.
The next version of myQA iON will be released with an updated version of PostgreSQL that fixes the vulnerability.
If you have any questions or concerns, please do not hesitate to reach out.
How can I contact the IBA Dosimetry Service and Support team?
Further information about this vulnerability and how to mitigate it for using PostgreSQL can be found here. (external source)