PgJDBC Security Release: Security Advisory
Interestingly this vulnerability has existed for quite some time. I think the fact that refreshRow() is not used very widely and the vulnerability is difficult to exploit made it very unlikely to be exploited.
The driver was not escaping the column name in the SQL generated to execute refreshRow(). By not escaping the column name if a column name had SQL in it, then it would be executed.
The details of the exploit can be found in the security advisory