CVE-2024-27289 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-27289

CVE-2024-27289

March 06, 2024

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (6)

https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p

https://nvd.nist.gov/vuln/detail/CVE-2024-27289

https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/

https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw

https://github.com/jackc/pgx

https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df

Do you need more information?

CVSS v4

Base Score:

9.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

EPSS

Base Score:

0.59

Products

Solutions

Resources

Company

Compare

Developer Tools