CVE-2024-27304

2024-03-0619:15:08

Debian Security Bug Tracker

security-tracker.debian.org

postgresql driver

toolkit for go

sql injection

integer overflow

message size

workaround

unix

10 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.0%

JSON

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker’s control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

OSVersionArchitecturePackageVersionFilename
Debian12allgolang-github-jackc-pgx<= 4.15.0-4golang-github-jackc-pgx_4.15.0-4_all.deb
Debian11allgolang-github-jackc-pgx<= 3.6.2-2golang-github-jackc-pgx_3.6.2-2_all.deb
Debian999allgolang-github-jackc-pgx<= 4.18.1-1golang-github-jackc-pgx_4.18.1-1_all.deb
Debian13allgolang-github-jackc-pgx<= 4.18.1-1golang-github-jackc-pgx_4.18.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	golang-github-jackc-pgx	<= 4.15.0-4	golang-github-jackc-pgx_4.15.0-4_all.deb
Debian	11	all	golang-github-jackc-pgx	<= 3.6.2-2	golang-github-jackc-pgx_3.6.2-2_all.deb
Debian	999	all	golang-github-jackc-pgx	<= 4.18.1-1	golang-github-jackc-pgx_4.18.1-1_all.deb
Debian	13	all	golang-github-jackc-pgx	<= 4.18.1-1	golang-github-jackc-pgx_4.18.1-1_all.deb