#VU87832 SQL injection in PostgreSQL driver and toolkit for Go - CVE-2024-27304
Published: March 26, 2024
Vulnerability identifier: #VU87832
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-27304
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PostgreSQL driver and toolkit for Go
PostgreSQL driver and toolkit for Go
Software vendor:
Jack Christensen
Jack Christensen
Description
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling overly large queries that exceed 4 GB in size. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
External links
- https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv
- https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8
- https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007
- https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4
- https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8
- https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df