Headline
GHSA-m7wr-2xf7-cm9p: pgx SQL Injection via Line Comment Creation
Impact
SQL injection can occur when all of the following conditions are met:
- The non-default simple protocol is used.
- A placeholder for a numeric value must be immediately preceded by a minus.
- There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
- Both parameter values must be user-controlled.
e.g.
Simple mode must be enabled:
// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true
Parameterized query:
SELECT * FROM example WHERE result=-$1 OR name=$2;
Parameter values:
$1
=> -42
$2
=> "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"
Resulting query after preparation:
SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';
Patches
The problem is resolved in v4.18.2.
Workarounds
Do not use the simple protocol or do not place a minus directly before a placeholder.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-27289
pgx SQL Injection via Line Comment Creation
Moderate severity GitHub Reviewed Published Mar 4, 2024 in jackc/pgx • Updated Mar 4, 2024
Package
gomod github.com/jackc/pgx (Go)
Affected versions
< 4.18.2
Impact
SQL injection can occur when all of the following conditions are met:
- The non-default simple protocol is used.
- A placeholder for a numeric value must be immediately preceded by a minus.
- There must be a second placeholder for a string value after the first placeholder; both
must be on the same line. - Both parameter values must be user-controlled.
e.g.
Simple mode must be enabled:
// connection string includes “prefer_simple_protocol=true” // or // directly enabled in code config.ConnConfig.PreferSimpleProtocol = true
Parameterized query:
SELECT * FROM example WHERE result=-$1 OR name=$2;
Parameter values:
$1 => -42
$2 => "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"
Resulting query after preparation:
SELECT * FROM example WHERE result=–42 OR name= 'foo 1 AND 1=0 UNION SELECT * FROM secrets; --';
Patches
The problem is resolved in v4.18.2.
Workarounds
Do not use the simple protocol or do not place a minus directly before a placeholder.
References
- GHSA-m7wr-2xf7-cm9p
- jackc/pgx@f94eb0e
Published to the GitHub Advisory Database
Mar 4, 2024
Related news
Red Hat Security Advisory 2024-7944-03 - Red Hat OpenShift Container Platform release 4.16.17 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a remote SQL injection vulnerability.
Red Hat Security Advisory 2024-1321-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug and security fixes. Issues addressed include a remote SQL injection vulnerability.