CVE-2024-27304

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions pgx versions prior to 4.18.2 pgx versions prior to 5.5.4

Description SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Recommendations For pgx versions prior to 4.18.2, update to version 4.18.2 or later. For pgx versions prior to 5.5.4, update to version 5.5.4 or later. As a temporary workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Exploit

Fix

SQL injection

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-190

Related Identifiers

ALSA-2025_16880

ALT-PU-2024-12202

ALT-PU-2024-12410

ALT-PU-2024-9408

ALT-PU-2024-9897

AZL-35752

AZL-35762

BDU:2024-01921

CVE-2024-27304

GHSA-7JWH-3VRQ-Q3M8

GHSA-MRWW-27VC-GGHV

GO-2024-2606

Affected Products

Alt Linux

Debian

Pgx

CVE-2024-27304

Weakness Enumeration

Related Identifiers

Affected Products

References · 30