SQL Injection Vulnerability in pgx Prior to v4.18.2
CVE-2024-27289

8.1HIGH

Key Information:

Vendor: Jackc
Status: Pgx
Vendor: CVE Published:; 6 March 2024

What is CVE-2024-27289?

The pgx PostgreSQL driver and toolkit for Go is prone to a SQL injection vulnerability under specific conditions. This flaw exists when the non-default simple protocol is employed, and a numeric placeholder is preceded directly by a minus sign. Additionally, a string placeholder following it on the same line, both influenced by user input, creates an exploitable situation. The issue can be mitigated by upgrading to version 4.18.2, where the vulnerability is resolved, or by avoiding the use of the simple protocol or the placement of a minus sign before a numeric placeholder.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pgx < 4.18.2

References

https://github.com/jackc/pgx/security/advisories/GHSA-m7w...

x_refsource_CONFIRM

https://github.com/jackc/pgx/commit/f94eb0e2f96782042c968...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2024
Vulnerability Reserved
Feb 22, 2024

JSON

Jackc

What is CVE-2024-27289?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.