← Volver a CVEs

CVE-2024-1597

CRITICAL

10.0

Descripcion

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Detalles CVE

Puntuacion CVSS v3.110.0

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado2/19/2024

Ultima modificacion11/3/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

fedoraproject:fedorapostgresql:postgresql_jdbc_driver

Debilidades (CWE)

CWE-89CWE-89

Referencias

http://www.openwall.com/lists/oss-security/2024/04/02/6(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://security.netapp.com/advisory/ntap-20240419-0008/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

http://www.openwall.com/lists/oss-security/2024/04/02/6(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20240419-0008/(af854a3a-2127-422b-91ae-364da2661108)

https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/(af854a3a-2127-422b-91ae-364da2661108)

https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/(af854a3a-2127-422b-91ae-364da2661108)

https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.