Bug 2266523 (CVE-2024-1597) - CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE
Summary: CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if...
Keywords:
Status: NEW
Alias: CVE-2024-1597
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2266524 2266525 2270746
Blocks: 2266526
TreeView+ depends on / blocked
 
Reported: 2024-02-28 04:38 UTC by Avinash Hanwate
Modified: 2024-04-23 14:26 UTC (History)
95 users (show)

Fixed In Version: PostgreSQL JDBC Driver 42.7.2, PostgreSQL JDBC Driver 42.6.1,PostgreSQL JDBC Driver 42.5.5, PostgreSQL JDBC Driver 42.4.4, PostgreSQL JDBC Driver 42.3.9, PostgreSQL JDBC Driver 42.2.28, PostgreSQL JDBC Driver 42.2.28.jre7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the PostgreSQL JDBC Driver. A SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1950 0 None None None 2024-04-22 14:53:43 UTC
Red Hat Product Errata RHSA-2024:1435 0 None None None 2024-03-20 08:21:48 UTC
Red Hat Product Errata RHSA-2024:1436 0 None None None 2024-03-20 09:25:36 UTC
Red Hat Product Errata RHSA-2024:1649 0 None None None 2024-04-02 20:50:05 UTC
Red Hat Product Errata RHSA-2024:1662 0 None None None 2024-04-03 10:53:30 UTC
Red Hat Product Errata RHSA-2024:1686 0 None None None 2024-04-04 21:33:14 UTC
Red Hat Product Errata RHSA-2024:1797 0 None None None 2024-04-22 10:59:39 UTC
Red Hat Product Errata RHSA-2024:1999 0 None None None 2024-04-23 14:26:02 UTC

Description Avinash Hanwate 2024-02-28 04:38:15 UTC
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/

Comment 1 Avinash Hanwate 2024-02-28 04:40:28 UTC
Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 2266524]

Comment 7 errata-xmlrpc 2024-03-20 08:21:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1435 https://access.redhat.com/errata/RHSA-2024:1435

Comment 8 errata-xmlrpc 2024-03-20 09:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1436 https://access.redhat.com/errata/RHSA-2024:1436

Comment 14 errata-xmlrpc 2024-04-02 20:50:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1649 https://access.redhat.com/errata/RHSA-2024:1649

Comment 15 errata-xmlrpc 2024-04-03 10:53:26 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Comment 16 errata-xmlrpc 2024-04-04 21:33:10 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:1686 https://access.redhat.com/errata/RHSA-2024:1686

Comment 17 errata-xmlrpc 2024-04-22 10:59:35 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9.SP2

Via RHSA-2024:1797 https://access.redhat.com/errata/RHSA-2024:1797

Comment 18 errata-xmlrpc 2024-04-23 14:25:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1999 https://access.redhat.com/errata/RHSA-2024:1999


Note You need to log in before you can comment on or make changes to this bug.