<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default configuration
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: daniel <sd () x17 eu>
Date: Wed, 3 Apr 2024 00:39:06 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
###
## Summary
###
On the 21st of February 2024 a security advisory for the JDBC driver of
PosgreSQL was published [1].
Which states: "SQL injection is possible when using the non-default
connection property preferQueryMode=simple in combination with
application code that has a vulnerable SQL that negates a parameter value."
Corresponding fixes were published at the 19th of February 2024.
###
## Severity
###
The severity is critical with a CVSS score of 10 but several conditions
must be met for successful exploitation.
Quote from [1]:
To exploit this behavior the following additional conditions must be met:
A placeholder for a numeric value must be immediately preceded by a
minus (i.e. -)
There must be a second placeholder for a string value after the
first placeholder on the same line.
Both parameters must be user controlled.
###
## Example from [1]
###
PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();
The resulting SQL when operating in simple query mode would be:
SELECT --1,'
WHERE false --'
and the result after the fix applied:
SELECT -('-1'::int4), ('
WHERE false --')
###
## Affected products and versions
###
pgJDBC [1]
All versions prior to 42.7.2
All versions prior to 42.6.1
All versions prior to 42.5.5
All versions prior to 42.4.4
All versions prior to 42.3.9
All versions prior to 42.2.28
All versions prior to 42.2.28.jre7
EnterpriseDB pgJDBC [2]
All versions prior to 42.5.4.2
and likely other products which bundle the above products like Atlassian
Bamboo Data Center and Server [3] or IBM Maximo Application Suite[4].
###
## Credit
###
Paul Gerste [5] has been credited as the reporter of the vulnerability [1].
References:
[1] https://github.com/advisories/GHSA-24rp-q3w6-vc56
[2] https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
[3] https://jira.atlassian.com/browse/BAM-25716
[4]
https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-application-suite-uses-postgresql-4238jar-which-vulnerable-cve-2024-1597
[5] https://github.com/paul-gerste-sonarsource
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default configuration daniel (Apr 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->