CVE-2024-1597 - SQL Injection via line comment generation
First Published: 2024/02/26
Last Updated: 2024/03/08
Important: This is an assessment of the impact of CVE-2024-1597 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Vulnerability details
CVE-ID: CVE-2024-1597
CVSS Base Score: 10.0
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products and versions
pgJDBC
- All versions prior to 42.7.2
- All versions prior to 42.6.1
- All versions prior to 42.5.5
- All versions prior to 42.3.9
- All versions prior to 42.2.28
EnterpriseDB pgJDBC
- All versions prior to 42.5.4.2
Remediation/fixes
pgJDBC Version Information
Affected Version | Fixed In | Fix Published |
---|---|---|
All versions prior to 42.7.2 | 42.7.2 | 2024-02-19 |
All versions prior to 42.6.1 | 42.6.1 | 2024-02-19 |
All versions prior to 42.5.5 | 42.5.5 | 2024-02-19 |
All versions prior to 42.4.4 | 42.4.4 | 2024-02-19 |
All versions prior to 42.3.9 | 42.3.9 | 2024-02-19 |
All versions prior to 42.2.28 | 42.2.28 | 2024-02-19 |
EDB pgJDBC Version Information
Affected Version | Fixed In | Remediation/First Fix |
---|---|---|
All versions prior to 42.5.4.2 | 42.5.4.2 | Update to latest supported version (at least 4.5.4.2 and patch existing clients/applications. |
EDB Assessment
Updated EDB JDBC Drivers are available in EDB Repos in the form of RPM and DEB native packages. It is also packaged and delivered as interactive installers available on the EDB Downloads site.
References
Related information
Acknowledgement
Source: pgJDBC team
Change history
- 26 Feb 2024: Added details of EDB Assesment
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!