Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tN3dyLTJ4ZjctY205cM4AA5v_

pgx SQL Injection via Line Comment Creation

Impact

SQL injection can occur when all of the following conditions are met:

1. The non-default simple protocol is used.
2. A placeholder for a numeric value must be immediately preceded by a minus.
3. There must be a second placeholder for a string value after the first placeholder; both
   must be on the same line.
4. Both parameter values must be user-controlled.

e.g.

Simple mode must be enabled:

// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true

Parameterized query:

SELECT * FROM example WHERE result=-$1 OR name=$2;

Parameter values:

$1 => -42
$2 => "foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"

Resulting query after preparation:

SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';

Patches

The problem is resolved in v4.18.2.

Workarounds

Do not use the simple protocol or do not place a minus directly before a placeholder.

Permalink: https://github.com/advisories/GHSA-m7wr-2xf7-cm9p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3dyLTJ4ZjctY205cM4AA5v_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 3 months ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-m7wr-2xf7-cm9p, CVE-2024-27289
References:

• https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
• https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
• https://github.com/advisories/GHSA-m7wr-2xf7-cm9p

Repository: https://github.com/jackc/pgx
Blast Radius: 34.5

Affected Packages