Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tN3dyLTJ4ZjctY205cM4AA5v_

pgx SQL Injection via Line Comment Creation

Impact

SQL injection can occur when all of the following conditions are met:

  1. The non-default simple protocol is used.
  2. A placeholder for a numeric value must be immediately preceded by a minus.
  3. There must be a second placeholder for a string value after the first placeholder; both
    must be on the same line.
  4. Both parameter values must be user-controlled.

e.g.

Simple mode must be enabled:

// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true

Parameterized query:

SELECT * FROM example WHERE result=-$1 OR name=$2;

Parameter values:

$1 => -42
$2 => "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"

Resulting query after preparation:

SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';

Patches

The problem is resolved in v4.18.2.

Workarounds

Do not use the simple protocol or do not place a minus directly before a placeholder.

Permalink: https://github.com/advisories/GHSA-m7wr-2xf7-cm9p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3dyLTJ4ZjctY205cM4AA5v_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 1 month ago


Identifiers: GHSA-m7wr-2xf7-cm9p, CVE-2024-27289
References: Repository: https://github.com/jackc/pgx
Blast Radius: 0.0

Affected Packages

go:github.com/jackc/pgx/v4
Dependent packages: 8,017
Dependent repositories: 18,275
Downloads:
Affected Version Ranges: < 4.18.2
Fixed in: 4.18.2
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.16.0, 4.16.1, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.18.1
All unaffected versions: 4.18.2, 4.18.3
go:github.com/jackc/pgx
Dependent packages: 1,365
Dependent repositories: 7,357
Downloads:
Affected Version Ranges: < 4.18.2
Fixed in: 4.18.2
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.11.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2
All unaffected versions: