CVE-2024-27289 — SQL Injection in PGX

CWE-89 — SQL Injection8 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 30.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jackc PGX Github.com Jackc PGX Github.com Jackc PGX V4 +10 more

Timeline

PublishedMar 6

Latest updateMar 12

Description

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple pr…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages13 packages

▶CVEListV5jackc/pgx< 4.18.2

▶NVDpgx_project/pgx< 4.18.2

▶Gogithub.com/jackc_pgx< 4.18.2

▶Gogithub.com/jackc_pgx_v4< 4.18.2

▶debiandebian/golang-github-jackc-pgx< golang-github-jackc-pgx 4.18.1-2 (forky)

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

SQL injection in github.com/jackc/pgx/v4↗2024-03-11

▶

OSV

CVE-2024-27289: pgx is a PostgreSQL driver and toolkit for Go↗2024-03-06

▶

GHSA

pgx SQL Injection via Line Comment Creation↗2024-03-04

▶

OSV

pgx SQL Injection via Line Comment Creation↗2024-03-04

▶

📋Vendor Advisories

Microsoft

pgx SQL Injection via Line Comment Creation↗2024-03-12

▶

Red Hat

pgx: SQL Injection via Line Comment Creation↗2024-03-07

▶

Debian

CVE-2024-27289: golang-github-jackc-pgx - pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL inje...↗2024

▶