Home > Vulnerability Database > CVE-2024-27304

Mend.io Vulnerability Database

CVE-2024-27304

Good to know:

Date: March 6, 2024

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Language: Go

Severity Score

9.8

Related Resources (8)

Url: https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df

Url: https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007

Url: https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4

Url: https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27304

Url: https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8

Url: https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv

Url: https://www.mend.io/vulnerability-database/CVE-2024-27304

Severity Score

9.8

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version jackc/pgproto3 - v2.3.3, github.com/jackc/pgx - v4.18.2,v5.5.4

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27304

Good to know:

Date: March 6, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?