pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
History

Thu, 12 Dec 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Jackc
Jackc pgx
CPEs cpe:2.3:a:jackc:pgx:*:*:*:*:*:*:*:*
cpe:2.3:a:jackc:pgx:5.0.0:*:*:*:*:*:*:*
Vendors & Products Jackc
Jackc pgx
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 12 Dec 2024 21:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-06T19:07:08.491Z

Updated: 2024-12-12T20:52:24.821Z

Reserved: 2024-02-22T18:08:38.875Z

Link: CVE-2024-27304

cve-icon Vulnrichment

Updated: 2024-08-02T00:27:59.959Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-06T19:15:08.767

Modified: 2024-12-12T21:15:07.677

Link: CVE-2024-27304

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-03-06T00:00:00Z

Links: CVE-2024-27304 - Bugzilla