GHSA-j88v-2chj-qfwx
SQL Injection vulnerability in v5 (Go)
What is GHSA-j88v-2chj-qfwx About?
This vulnerability allows for SQL Injection under specific, uncommon conditions when using `pgx`'s simple protocol with dollar-quoted string literals. An attacker can manipulate placeholder values within such literals to inject arbitrary SQL. While unlikely to occur in typical scenarios, it can lead to unauthorized data access or manipulation if exploited.
Affected Software
- github.com/jackc/pgx/v5
- <5.9.2
- github.com/jackc/pgx/v4
- <=4.18.3
- github.com/jackc/pgx
- <=3.6.2
Technical Details
The vulnerability occurs in the pgx library when the non-default simple protocol is utilized for SQL query execution. Specifically, it manifests if an SQL query employs a dollar-quoted string literal, and this string literal contains text that, outside of a string literal context, would be interpreted as a query placeholder (e.g., $1). The core issue arises when the value associated with this interpreted placeholder is supplied by an attacker. For example, in the query select $tag$ $1 $tag$, $1, if an attacker controls the value bound to the second $1 and injects SQL such as $tag$; drop table canary; --, it can break out of the dollar-quoted string and execute arbitrary SQL commands. This is due to improper handling of the pgx.QueryExecModeSimpleProtocol where the parsing context of dollar-quoted strings is not strictly maintained, allowing for placeholder interpretation within the quoted section that should otherwise be literal.
What is the Impact of GHSA-j88v-2chj-qfwx?
Successful exploitation may allow attackers to execute arbitrary SQL commands, including data retrieval, modification, or deletion, leading to unauthorized access to sensitive information or compromise of database integrity.
What is the Exploitability of GHSA-j88v-2chj-qfwx?
Exploitation of this SQL injection vulnerability is of high complexity due to a highly specific set of conditions that must be met. The application must be explicitly configured to use pgx.QueryExecModeSimpleProtocol, employ dollar-quoted string literals in its SQL queries, and crucially, allow attacker-controlled input to be interpolated into a placeholder within such a dollar-quoted string. No authentication is required for the SQL injection itself if the injection point is accessible to an unauthenticated user. Privilege requirements are typically those of the database user account connected by the application. This is generally a remote attack, as it targets the application's interaction with the database. The critical constraint is the rare combination of simple protocol usage, dollar-quoted literals, and attacker-controlled interpolation. The risk factors increasing exploitation likelihood are minimal outside of specifically crafted or highly unusual scenarios where developers have mismatched these specific pgx features.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-j88v-2chj-qfwx?
Available Upgrade Options
- github.com/jackc/pgx/v5
- <5.9.2 → Upgrade to 5.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to GHSA-j88v-2chj-qfwx?
Similar Vulnerabilities: CVE-2021-38561 , CVE-2022-31057 , CVE-2023-31295 , CVE-2023-36665 , CVE-2023-45199
