CVE-2024-27304 pgx SQL Injection via Protocol Message Size Overflow

2024-03-0619:07:08

CWE-89

CWE-190

GitHub_M

github.com

cve-2024-27304

pgx

sql injection

protocol message size overflow

postgresql driver

integer overflow

v4.18.2

v5.5.4

user input

workaround

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker’s control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*"
    ],
    "vendor": "jackc",
    "product": "pgx",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.18.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*"
    ],
    "vendor": "jackc",
    "product": "pgx",
    "versions": [
      {
        "status": "affected",
        "version": "5.0.0",
        "lessThan": "5.5.4",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]