CVE-2024-27289

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pgx versions prior to 4.18.2

Description The issue is related to SQL injection in the pgx PostgreSQL driver and toolkit for Go. It occurs when the non-default simple protocol is used, a placeholder for a numeric value is immediately preceded by a minus, there is a second placeholder for a string value after the first placeholder on the same line, and both parameter values are user-controlled. This allows an attacker to execute arbitrary SQL queries.

Recommendations As a temporary workaround, do not use the simple protocol or do not place a minus directly before a placeholder. For versions prior to 4.18.2, update to version 4.18.2 to resolve the issue.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALSA-2025_16880

ALT-PU-2024-12202

ALT-PU-2024-12410

ALT-PU-2024-9408

ALT-PU-2024-9897

AZL-35750

AZL-35763

BDU:2024-02067

CVE-2024-27289

GHSA-M7WR-2XF7-CM9P

GO-2024-2605

Affected Products

Alt Linux

Debian

Pgx

CVE-2024-27289

Weakness Enumeration

Related Identifiers

Affected Products

References · 23