Vulnerability Report: GO-2024-2605

CVE-2024-27289, GHSA-m7wr-2xf7-cm9p
Affects: github.com/jackc/pgx, github.com/jackc/pgx/v4
Published: Mar 11, 2024
Modified: Sep 13, 2024

SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.

For detailed information about this vulnerability, visit https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p.

Affected Packages

Path

Go Versions

Symbols
github.com/jackc/pgx/internal/sanitize

all versions, no known fixed
- Query.Sanitize
- SanitizeSQL
github.com/jackc/pgx/v4/internal/sanitize

before v4.18.2
- Query.Sanitize
- SanitizeSQL

Aliases

CVE-2024-27289
GHSA-m7wr-2xf7-cm9p

References

https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
https://vuln.go.dev/ID/GO-2024-2605.json

Credits

paul-gerste-sonarsource

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL