Vulnerability DatabaseCVE-2024-1597
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-1597
February 19, 2024
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Affected Packages
org.postgresql:postgresql (JAVA):
Affected version(s) >=42.7.0 <42.7.2
Fix Suggestion:
Update to version 42.7.2
org.postgresql:postgresql (JAVA):
Affected version(s) >=9.2-1002-jdbc4 <42.2.28
Fix Suggestion:
Update to version 42.2.28
org.postgresql:postgresql (JAVA):
Affected version(s) >=42.4.0 <42.4.4
Fix Suggestion:
Update to version 42.4.4
org.postgresql:postgresql (JAVA):
Affected version(s) >=42.3.0 <42.3.9
Fix Suggestion:
Update to version 42.3.9
org.postgresql:postgresql (JAVA):
Affected version(s) >=42.5.0 <42.5.5
Fix Suggestion:
Update to version 42.5.5
org.postgresql:postgresql (JAVA):
Affected version(s) >=42.6.0 <42.6.1
Fix Suggestion:
Update to version 42.6.1
Related ResourcesĀ (24)
https://github.com/aws/amazon-redshift-jdbc-driver/commit/12a5e8ecfbb44c8154fc66041cca2e20ecd7b339
https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html
https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
https://github.com/aws/amazon-redshift-jdbc-driver/commit/bc93694201a291493778ce5369a72befeca5ba7d
http://www.openwall.com/lists/oss-security/2024/04/02/6
https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html
https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-x3wm-hffr-chwm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU
https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40
https://github.com/pgjdbc/pgjdbc
https://github.com/aws/amazon-redshift-jdbc-driver/commit/0d354a5f26ca23f7cac4e800e3b8734220230319
https://nvd.nist.gov/vuln/detail/CVE-2024-1597
https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes
https://nvd.nist.gov/vuln/detail/CVE-2024-32888
https://security.netapp.com/advisory/ntap-20240419-0008
https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
https://security.netapp.com/advisory/ntap-20240419-0008/
https://github.com/aws/amazon-redshift-jdbc-driver
https://security-tracker.debian.org/tracker/CVE-2024-1597
https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee
https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
Do you need more information?
Contact Us
CVSS v4
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-89
EPSS
Base Score:
0.55