Multiple vulnerabilities in PostgreSQL driver and toolkit for Go



Published: 2024-03-26
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2024-27289
CVE-2024-27304
CWE-ID CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
PostgreSQL driver and toolkit for Go
Universal components / Libraries / Programming Languages & Components

Vendor Jack Christensen

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) SQL injection

EUVDB-ID: #VU87833

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27289

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data under certain conditions. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability requires that all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PostgreSQL driver and toolkit for Go: 4.0.0 - 4.18.1

CPE2.3 External links

http://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
http://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) SQL injection

EUVDB-ID: #VU87832

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27304

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data when handling overly large queries that exceed 4 GB in size. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PostgreSQL driver and toolkit for Go: 4.0.0 - 5.5.3

CPE2.3 External links

http://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv
http://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8
http://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007
http://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4
http://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8
http://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###