CVE-2024-1597

Name of the Vulnerable Software and Affected Versions pgjdbc versions prior to 42.7.2 pgjdbc versions prior to 42.6.1 pgjdbc versions prior to 42.5.5 pgjdbc versions prior to 42.4.4 pgjdbc versions prior to 42.3.9 pgjdbc versions prior to 42.2.28

Description The PostgreSQL JDBC Driver has a SQL injection vulnerability when using the PreferQueryMode=SIMPLE connection property. This allows an attacker to inject SQL and alter queries, bypassing protections against SQL injection attacks. The vulnerability requires specific conditions to be met, including a placeholder for a numeric value immediately preceded by a minus and a second placeholder for a string value on the same line. Both parameters must be user-controlled. The vulnerability can be exploited to expose assets and has a high impact on confidentiality, integrity, and availability.

Recommendations To resolve the issue, upgrade pgjdbc to version 42.7.2 or later. For versions prior to 42.7.2, upgrade to version 42.6.1 or later. For versions prior to 42.6.1, upgrade to version 42.5.5 or later. For versions prior to 42.5.5, upgrade to version 42.4.4 or later. For versions prior to 42.4.4, upgrade to version 42.3.9 or later. For versions prior to 42.3.9, upgrade to version 42.2.28 or later. As a temporary workaround, consider disabling the PreferQueryMode=SIMPLE connection property until a patch is available.