CVE-2024-27289
SQL Injection vulnerability in pgx (Go)
What is CVE-2024-27289 About?
This SQL injection vulnerability in a Go PostgreSQL driver occurs under specific conditions involving the non-default simple protocol, a negative numeric placeholder, and a string placeholder on the same line. Attackers can inject SQL commands through user-controlled parameter values, bypassing validation to execute arbitrary database operations. Exploiting this requires a precise setup but is straightforward once conditions are met.
Affected Software
- github.com/jackc/pgx
- <4.18.2
- github.com/jackc/pgx/v4
- <4.18.2
Technical Details
The SQL Injection vulnerability arises in a Go PostgreSQL client when using the non-default 'simple protocol' (prefer_simple_protocol=true). It specifically impacts parameterized queries where a numeric placeholder ($1) is immediately preceded by a minus sign, and a second string placeholder ($2) appears on the same line, both utilizing user-controlled values. The issue occurs during query preparation: when a negative value is provided for the first parameter (e.g., $1 evaluates to -42), the minus sign from the query template combines with the negative sign from the parameter value, effectively commenting out part of the query. Immediately following this, the string parameter ($2) is then incorrectly processed due to the comment, allowing an attacker to inject arbitrary SQL code within its value. For example, WHERE result=--42 OR name= 'INJECTED SQL' bypasses proper escaping for the injected part, leading to SQL injection.
What is the Impact of CVE-2024-27289?
Successful exploitation may allow attackers to execute arbitrary SQL commands on the database, leading to unauthorized data access, modification, deletion, or even full compromise of the database system.
What is the Exploitability of CVE-2024-27289?
Exploitation complexity is moderate, requiring a very specific combination of conditions: the non-default 'simple protocol' must be enabled in the application's database connection, the vulnerable SQL query must have a negative numeric placeholder directly followed by a string placeholder on the same line, and both parameters must be controllable by the attacker. Authentication to the application is typically required to provide these parameters, implying a remote but authenticated attack vector. No special system privileges are needed beyond executing valid queries that match the vulnerable pattern. The primary risk factor is the uncommon yet specific vulnerable query structure being present in the application, combined with the use of the simple protocol. Workarounds exist by avoiding the simple protocol or restructuring queries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-27289?
About the Fix from Resolved Security
Available Upgrade Options
- github.com/jackc/pgx/v4
- <4.18.2 → Upgrade to 4.18.2
- github.com/jackc/pgx
- <4.18.2 → Upgrade to 4.18.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-m7wr-2xf7-cm9p
- https://nvd.nist.gov/vuln/detail/CVE-2024-27289
- https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
- https://osv.dev/vulnerability/GO-2024-2605
- https://github.com/jackc/pgx
- https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
- https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
- https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
- https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
- https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
What are Similar Vulnerabilities to CVE-2024-27289?
Similar Vulnerabilities: CVE-2022-28214 , CVE-2020-0796 , CVE-2023-28432 , CVE-2021-3928 , CVE-2022-38605
