CVE-2024-1597 — SQL Injection in Pgjdbc
Severity
9.8CRITICALNVD
CNA10.0VulnCheck10.0
EPSS
0.5%
top 33.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 19
Latest updateApr 17
Description
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Also affects: Fedora 40
🔴Vulnerability Details
6OSV▶
CVE-2024-1597: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE↗2024-02-19
📋Vendor Advisories
4Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (PostgreSQL JDBC Driver) — CVE-2024-1597↗2024-04-15
Atlassian▶
SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bamboo Data Center and Server NOTE : CVE-2024-1597 is a cri↗2024-03-19
Red Hat▶
pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE↗2024-02-19
Debian▶
CVE-2024-1597: libpgjava - pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using Prefe...↗2024