CVE-2024-1597 - SQL Injection via line comment generation

First Published: 2024/02/26

Last Updated: 2024/03/08

Important: This is an assessment of the impact of CVE-2024-1597 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Vulnerability details

CVE-ID: CVE-2024-1597

CVSS Base Score: 10.0

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products and versions

pgJDBC

  • All versions prior to 42.7.2
  • All versions prior to 42.6.1
  • All versions prior to 42.5.5
  • All versions prior to 42.3.9
  • All versions prior to 42.2.28

EnterpriseDB pgJDBC

  • All versions prior to 42.5.4.2

Remediation/fixes

pgJDBC Version Information

Affected VersionFixed InFix Published
All versions prior to 42.7.242.7.22024-02-19
All versions prior to 42.6.142.6.12024-02-19
All versions prior to 42.5.542.5.52024-02-19
All versions prior to 42.4.442.4.42024-02-19
All versions prior to 42.3.942.3.92024-02-19
All versions prior to 42.2.2842.2.282024-02-19

EDB pgJDBC Version Information

Affected VersionFixed InRemediation/First Fix
All versions prior to 42.5.4.242.5.4.2Update to latest supported version
(at least 4.5.4.2 and patch existing clients/applications.

EDB Assessment

Updated EDB JDBC Drivers are available in EDB Repos in the form of RPM and DEB native packages. It is also packaged and delivered as interactive installers available on the EDB Downloads site.

References

Acknowledgement

Source: pgJDBC team

Change history

  • 26 Feb 2024: Added details of EDB Assesment

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.


Could this page be better? Report a problem or suggest an addition!