Home > Vulnerability Database > CVE-2024-1597

Mend.io Vulnerability Database

CVE-2024-1597

Good to know:

Date: February 19, 2024

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Language: Java

Severity Score

10.0

Related Resources (22)

Url: https://github.com/aws/amazon-redshift-jdbc-driver

Url: https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/

Url: https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32888

Url: https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee

Url: https://github.com/aws/amazon-redshift-jdbc-driver/commit/12a5e8ecfbb44c8154fc66041cca2e20ecd7b339

Url: https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes

Url: http://www.openwall.com/lists/oss-security/2024/04/02/6

Url: https://github.com/aws/amazon-redshift-jdbc-driver/commit/bc93694201a291493778ce5369a72befeca5ba7d

Url: https://security.netapp.com/advisory/ntap-20240419-0008

Url: https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-x3wm-hffr-chwm

Url: https://security.netapp.com/advisory/ntap-20240419-0008/

Url: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56

Url: https://github.com/pgjdbc/pgjdbc

Url: https://github.com/aws/amazon-redshift-jdbc-driver/commit/0d354a5f26ca23f7cac4e800e3b8734220230319

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU

Url: https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1597

Url: https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40

Url: https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597

Url: https://www.mend.io/vulnerability-database/CVE-2024-1597

Severity Score

10.0

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version org.postgresql:postgresql:42.2.8,42.3.9,42.4.4,42.5.5,42.6.1,42.7.2

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1597

Good to know:

Date: February 19, 2024

Language: Java

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?