#VU87832 SQL injection in PostgreSQL driver and toolkit for Go - CVE-2024-27304
Vulnerability identifier: #VU87832
Vulnerability risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-89
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PostgreSQL driver and toolkit for Go
Universal components / Libraries /
Programming Languages & Components
Vendor: Jack Christensen
Description
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling overly large queries that exceed 4 GB in size. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PostgreSQL driver and toolkit for Go: 4.0.0 - 4.18.1, 5.0.0 - 5.5.3
External links
https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv
https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8
https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007
https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4
https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8
https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
