CVE-2024-27289

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-27289
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
Configurations

No configuration.

History

12 Jun 2025, 16:15

Type Values Removed Values Added
References
  • () https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/ -

21 Nov 2024, 09:04

Type Values Removed Values Added
References () https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df - () https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df -
References () https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p - () https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p -
Summary
  • (es) pgx es un controlador PostgreSQL y un conjunto de herramientas para Go. Antes de la versión 4.18.2, la inyección SQL puede ocurrir cuando se cumplen todas las condiciones siguientes: se utiliza el protocolo simple no predeterminado; un marcador de posición para un valor numérico debe ir precedido inmediatamente de un signo menos; debe haber un segundo marcador de posición para un valor de cadena después del primer marcador de posición; ambos deben estar en la misma línea; y ambos valores de parámetros deben ser controlados por el usuario. El problema se resuelve en v4.18.2. Como solución alternativa, no utilice el protocolo simple ni coloque un signo menos directamente antes de un marcador de posición.

06 Mar 2024, 21:42

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-06 19:15

Updated : 2025-06-12 16:15

NVD link : CVE-2024-27289

Mitre link : CVE-2024-27289

CVE.ORG link : CVE-2024-27289

JSON object : View

Products Affected

No product.

CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')