3.1.1 Fixes for vulnerabilities CVE-2025-48924 and CVE-2025-49146

This release fixes the following vulnerabilities:

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
• GHSA-j288-q9x7-2f5v

CVE-2025-49146 (CWE-287) in dependency org.postgresql:postgresql:jar:42.7.6:compile

postgresql - Improper Authentication

CVE: CVE-2025-49146
CWE: CWE-287

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-49146?component-type=maven&component-name=org.postgresql%2Fpostgresql&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-49146
• GHSA-hq9p-pm7w-8p54
• https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.postgresql/postgresql/CVE-2025-49146.yml
• https://nvd.nist.gov/vuln/detail/CVE-2025-49146
• https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-hq9p-pm7w-8p54.json

Security

• #86: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.16.0:test
• #85: Fixed vulnerability CVE-2025-49146 in dependency org.postgresql:postgresql:jar:42.7.6:compile

Dependency Updates

Compile Dependency Updates

• Updated org.postgresql:postgresql:42.7.6 to 42.7.7

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.5 to 7.1.7

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
• Updated com.exasol:project-keeper-maven-plugin:5.1.0 to 5.2.3

3.1.0 Timestamp precision

This release improves the support for TIMESTAMP columns with fractional second precision (FSP).
The specified FSP will be maintained in Exasol newer versions (>= 8.32.0)

This release also contains a security update. We updated the dependencies of the project to fix transitive security issues.

We also added an exception for the OSSIndex for CVE-2024-55551, which is a false positive in Exasol's JDBC driver.
This issue has been fixed quite a while back now, but the OSSIndex unfortunately does not contain the fix version of 24.2.1 (2024-12-10) set.

Security

• #83: Upgraded dependencies

Features

• #80: Enabled Timestamp precision support
• #79: Re-enabled current_schema pushdown

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:12.0.0 to 13.0.0
• Updated org.postgresql:postgresql:42.7.2 to 42.7.6

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.5
• Updated com.exasol:hamcrest-resultset-matcher:1.6.4 to 1.7.1
• Updated com.exasol:test-db-builder-java:3.5.3 to 3.6.1
• Updated com.exasol:udf-debugging-java:0.6.11 to 0.6.16
• Updated com.exasol:virtual-schema-common-jdbc:12.0.0 to 13.0.0
• Updated com.exasol:virtual-schema-shared-integration-tests:3.0.0 to 3.0.1
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.jacoco:org.jacoco.agent:0.8.11 to 0.8.13
• Updated org.junit.jupiter:junit-jupiter:5.10.1 to 5.13.0
• Updated org.mockito:mockito-junit-jupiter:5.10.0 to 5.18.0
• Added org.slf4j:slf4j-jdk14:2.0.17
• Updated org.testcontainers:junit-jupiter:1.19.4 to 1.21.1
• Updated org.testcontainers:postgresql:1.19.4 to 1.21.1

Plugin Dependency Updates

• Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.2 to 0.4.3
• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.0.0 to 5.1.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
• Removed io.github.zlika:reproducible-build-maven-plugin:0.16
• Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
• Updated org.apache.maven.plugins:maven-clean-plugin:3.2.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.14.0
• Updated org.apache.maven.plugins:maven-dependency-plugin:3.6.1 to 3.8.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.3
• Updated org.apache.maven.plugins:maven-install-plugin:3.1.2 to 3.1.4
• Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.2
• Updated org.apache.maven.plugins:maven-site-plugin:3.12.1 to 3.21.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.3
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.codehaus.mojo:exec-maven-plugin:3.1.0 to 3.5.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.18.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.13
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 5.1.0.4751

3.0.0: Char set is always `utf-8`, deprecated IMPORT_DATA_TYPES `FROM_RESULT_SET` value

Summary

The behaviour when it comes to character sets is now simplified,
The target char set is now always UTF-8.
The IMPORT_DATA_TYPES property (and value FROM_RESULT_SET) are now deprecated (change in vs-common-jdbc):
An exception will be thrown when users use FROM_RESULT_SET. The exception message warns the user that the value is no longer supported and the property itself is also deprecated.

Various broken scalar time-related extraction functions for dates and timestamps in the virtual schema are now fixed: year,month,day,hour,minute,second.

Scalar division (/) which was broken in some cases now also works correctly.

Tests for current_schema are currently disabled, this is because of a discovered compiler bug: #79 .
These tests will be re-evaluated later when there is more clarity about this issue.

We also updated dependencies and resolved the following 2 CVEs in test dependency org.apache.commons:commons-compress:

• CVE-2024-26308
• CVE-2024-25710
  We also updated dependencies and resolved the following CVE in test dependency org.postgresql:postgresql::
• CVE-2024-1597

Features

• #68 : Update tests to V8 VSPG refactoring

Security

• #78 : Fix vulnerabilities in org.postgresql:postgresql:jar:42.6.0:compile & org.apache.commons:commons-compress:jar:1.24.0:test

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:11.0.2 to 12.0.0
• Updated org.postgresql:postgresql:42.6.0 to 42.7.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.2 to 7.0.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.4
• Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.3
• Updated com.exasol:virtual-schema-common-jdbc:11.0.2 to 12.0.0
• Updated com.exasol:virtual-schema-shared-integration-tests:2.2.5 to 3.0.0
• Added org.jacoco:org.jacoco.agent:0.8.11
• Updated org.junit.jupiter:junit-jupiter:5.10.0 to 5.10.1
• Updated org.mockito:mockito-junit-jupiter:5.5.0 to 5.10.0
• Updated org.testcontainers:junit-jupiter:1.19.0 to 1.19.4
• Updated org.testcontainers:postgresql:1.19.0 to 1.19.4

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 4.0.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-dependency-plugin:2.8 to 3.6.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

2.2.2: Fix CVE-2023-42503 in test dependency

Summary

This release fixes CVE-2023-42503 in test dependency org.apache.commons:commons-compress.

Security

• #74: Fixed CVE-2023-42503 in test dependency org.apache.commons:commons-compress

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:10.5.0 to 11.0.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.0 to 6.6.2
• Updated com.exasol:hamcrest-resultset-matcher:1.6.0 to 1.6.1
• Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.1
• Updated com.exasol:udf-debugging-java:0.6.9 to 0.6.11
• Updated com.exasol:virtual-schema-common-jdbc:10.5.0 to 11.0.2
• Updated com.exasol:virtual-schema-shared-integration-tests:2.2.4 to 2.2.5
• Updated org.junit.jupiter:junit-jupiter:5.9.3 to 5.10.0
• Updated org.mockito:mockito-junit-jupiter:5.4.0 to 5.5.0
• Updated org.testcontainers:junit-jupiter:1.18.3 to 1.19.0
• Updated org.testcontainers:postgresql:1.18.3 to 1.19.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.3 to 1.3.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.7 to 2.9.12
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.5.0 to 3.6.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0 to 3.1.2
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0 to 3.1.2
• Updated org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 to 2.0.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.4.1 to 1.5.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.15.0 to 2.16.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.9 to 0.8.10

2.2.1: Update Documentation and Dependencies

Summary

This release adds a reference to common adapter properties for JDBC-based virtual schemas to the user guide and updates the dependencies.

Documentation

• #71: Updated user guide with reference to common adapter properties for JDBC-based virtual schemas

Dependency Updates

Compile Dependency Updates

• Updated org.postgresql:postgresql:42.5.4 to 42.6.0

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.5.1 to 6.6.0
• Updated com.exasol:hamcrest-resultset-matcher:1.5.2 to 1.6.0
• Updated com.exasol:udf-debugging-java:0.6.8 to 0.6.9
• Updated org.junit.jupiter:junit-jupiter:5.9.2 to 5.9.3
• Updated org.mockito:mockito-junit-jupiter:5.2.0 to 5.4.0
• Updated org.testcontainers:junit-jupiter:1.17.6 to 1.18.3
• Updated org.testcontainers:postgresql:1.17.6 to 1.18.3

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.2 to 1.2.3
• Updated com.exasol:project-keeper-maven-plugin:2.9.4 to 2.9.7
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.10.1 to 3.11.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.2.1 to 3.3.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8 to 3.0.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8 to 3.0.0
• Added org.basepom.maven:duplicate-finder-maven-plugin:1.5.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.3.0 to 1.4.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.14.2 to 2.15.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.8 to 0.8.9

2.2.0: Dependency Upgrade

Summary

Updated dependencies to remove references to discontinued maven repository maven.exasol.com.

Please note that updated dependency virtual-schema-common-jdbc adds support for a new adapter property MAX_TABLE_COUNT and fixes ambiguous results by escaping SQL wildcards such as underscore _ and percent % in names of catalogs, schemas, and tables when retrieving column metadata from JDBC driver.

Changes

• #66: Updated dependencies

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:error-reporting-java:1.0.0 to 1.0.1
• Updated com.exasol:virtual-schema-common-jdbc:10.1.0 to 10.5.0
• Updated org.postgresql:postgresql:42.5.1 to 42.5.4

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.4.1 to 6.5.1
• Updated com.exasol:test-db-builder-java:3.4.1 to 3.4.2
• Updated com.exasol:udf-debugging-java:0.6.5 to 0.6.8
• Updated com.exasol:virtual-schema-common-jdbc:10.1.0 to 10.5.0
• Updated com.exasol:virtual-schema-shared-integration-tests:2.2.3 to 2.2.4
• Updated org.junit.jupiter:junit-jupiter:5.9.1 to 5.9.2
• Updated org.mockito:mockito-junit-jupiter:4.10.0 to 5.2.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.1 to 1.2.2
• Updated com.exasol:project-keeper-maven-plugin:2.9.1 to 2.9.4
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.4.2 to 3.5.0
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.1.0 to 3.2.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M7 to 3.0.0-M8
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M7 to 3.0.0-M8
• Updated org.codehaus.mojo:versions-maven-plugin:2.13.0 to 2.14.2

2.1.0: Result set Type Calculation Switch

Summary

We updated virtual-schema-common-jdbc to version 10.1.0 in order to enable switching the calculation of the result set data types between calculated by Exasol (default) and inferred from JDBC. The default is more efficient, but some JDBC drivers are inconsistent when reporting character encodings. In those cases you can fall back to the old mechanism that infers the data types from the reported result set types.

We also renamed error codes from PGVS to VSPG and removed the reference to the Exasol artifactory from the bill-of-materials file, because all dependencies are now available on Maven Central.

Features

• #59: Renamed error codes from PGVS to VSPG.

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:10.0.1 to 10.1.0
• Updated org.postgresql:postgresql:42.5.0 to 42.5.1

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.2.0 to 6.4.1
• Updated com.exasol:test-db-builder-java:3.3.4 to 3.4.1
• Updated com.exasol:udf-debugging-java:0.6.4 to 0.6.5
• Updated com.exasol:virtual-schema-common-jdbc:10.0.1 to 10.1.0
• Updated com.exasol:virtual-schema-shared-integration-tests:2.2.2 to 2.2.3
• Updated org.mockito:mockito-junit-jupiter:4.8.0 to 4.10.0
• Updated org.testcontainers:junit-jupiter:1.17.3 to 1.17.6
• Updated org.testcontainers:postgresql:1.17.3 to 1.17.6

Plugin Dependency Updates

• Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.0 to 0.4.2
• Updated com.exasol:error-code-crawler-maven-plugin:1.1.1 to 1.2.1
• Updated com.exasol:project-keeper-maven-plugin:2.4.6 to 2.9.1
• Updated io.github.zlika:reproducible-build-maven-plugin:0.15 to 0.16
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.3.0 to 3.4.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 to 3.1.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M5 to 3.0.0-M7
• Updated org.apache.maven.plugins:maven-jar-plugin:3.2.2 to 3.3.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5 to 3.0.0-M7
• Updated org.codehaus.mojo:exec-maven-plugin:3.0.0 to 3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.2.7 to 1.3.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.10.0 to 2.13.0

2.0.5: Fix vulnerabilities in dependencies

Summary

This release fixes CVE-2022-38751 and CVE-2022-38752 in snakeyaml.

Features

• #57: Fixed vulnerabilities in dependencies

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:error-reporting-java:0.4.1 to 1.0.0
• Updated com.exasol:virtual-schema-common-jdbc:9.0.5 to 10.0.1

Test Dependency Updates

• Updated com.exasol:autogenerated-resource-verifier-java:0.1.1 to 0.1.2
• Updated com.exasol:exasol-testcontainers:6.1.2 to 6.2.0
• Updated com.exasol:hamcrest-resultset-matcher:1.5.1 to 1.5.2
• Updated com.exasol:test-db-builder-java:3.3.3 to 3.3.4
• Updated com.exasol:virtual-schema-common-jdbc:9.0.5 to 10.0.1
• Updated com.exasol:virtual-schema-shared-integration-tests:2.2.0 to 2.2.2
• Updated org.junit.jupiter:junit-jupiter:5.8.2 to 5.9.1
• Updated org.mockito:mockito-junit-jupiter:4.6.1 to 4.8.0
• Updated org.testcontainers:junit-jupiter:1.17.2 to 1.17.3
• Updated org.testcontainers:postgresql:1.17.2 to 1.17.3

2.0.4: Documentation and Dependencies update

Summary

Fixed vulnerability sonatype-2022-4402 reported by ossindex for dependency org.postgresql:postgresql:jar:42.4.0 in compile by updating dependency.

Updated documentation, fixed broken links added information specific to PostgreSQL virtual schemas.

Documentation

• #55: Updated documentation

Dependency Updates

Compile Dependency Updates

• Updated org.postgresql:postgresql:42.4.0 to 42.5.0

2.0.3 Dependency Updates

Summary

In this release we updated dependencies and by that fixed the following security vulnerabilities:

• CVE-2022-24823
• sonatype-2020-0026
• CVE-2016-5003
• CVE-2016-5002
• CVE-2021-22569
• CVE-2016-5004

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-jdbc:9.0.4 to 9.0.5
• Updated org.postgresql:postgresql:42.3.3 to 42.4.0

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.1.1 to 6.1.2
• Updated com.exasol:test-db-builder-java:3.3.1 to 3.3.3
• Updated com.exasol:udf-debugging-java:0.6.0 to 0.6.4
• Updated com.exasol:virtual-schema-common-jdbc:9.0.4 to 9.0.5
• Updated org.mockito:mockito-junit-jupiter:4.3.1 to 4.6.1
• Updated org.testcontainers:junit-jupiter:1.16.3 to 1.17.2
• Updated org.testcontainers:postgresql:1.16.3 to 1.17.2

Plugin Dependency Updates

• Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.1 to 0.4.0
• Updated com.exasol:error-code-crawler-maven-plugin:1.0.0 to 1.1.1
• Updated com.exasol:project-keeper-maven-plugin:2.0.0 to 2.4.6
• Updated org.apache.maven.plugins:maven-clean-plugin:3.1.0 to 2.5
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.10.0 to 3.10.1
• Updated org.apache.maven.plugins:maven-dependency-plugin:3.2.0 to 2.8
• Updated org.apache.maven.plugins:maven-deploy-plugin:2.8.2 to 2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.5.2 to 2.4
• Updated org.apache.maven.plugins:maven-resources-plugin:3.2.0 to 2.6
• Updated org.apache.maven.plugins:maven-site-plugin:3.11.0 to 3.3
• Updated org.codehaus.mojo:versions-maven-plugin:2.9.0 to 2.10.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.7 to 0.8.8
• Added org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184