← Retour aux CVEs

CVE-2024-1597

CRITICAL

10.0

Description

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Details CVE

Score CVSS v3.110.0

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie2/19/2024

Derniere modification11/3/2025

Sourcenvd

Observations honeypot0

Produits affectes

fedoraproject:fedorapostgresql:postgresql_jdbc_driver

Faiblesses (CWE)

CWE-89CWE-89

References

http://www.openwall.com/lists/oss-security/2024/04/02/6(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://security.netapp.com/advisory/ntap-20240419-0008/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

http://www.openwall.com/lists/oss-security/2024/04/02/6(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20240419-0008/(af854a3a-2127-422b-91ae-364da2661108)

https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/(af854a3a-2127-422b-91ae-364da2661108)

https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/(af854a3a-2127-422b-91ae-364da2661108)

https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.