Plattform
go
Komponente
github.com/jackc/pgproto3/v2
Behoben in
4.18.3
5.0.1
2.3.3
CVE-2024-27304 describes a critical SQL Injection vulnerability discovered in the github.com/jackc/pgproto3/v2 library. This flaw arises from an integer overflow when calculating message sizes, enabling attackers to manipulate message boundaries and potentially inject malicious SQL queries. The vulnerability impacts applications utilizing versions of pgproto3/v2 before 2.3.3. A patch has been released in version 2.3.3.
The core of this vulnerability lies in the ability to exploit an integer overflow within the pgproto3/v2 library, which is a core component for PostgreSQL interaction in Go applications. An attacker can craft a single, oversized message that is internally processed as multiple smaller messages. This manipulation allows them to bypass security checks and inject arbitrary SQL commands. Successful exploitation could lead to unauthorized data access, modification, or deletion within the PostgreSQL database. The potential blast radius is significant, encompassing any application relying on the vulnerable pgproto3/v2 library to interact with a PostgreSQL database, potentially exposing sensitive data and compromising the entire application’s integrity. This vulnerability shares similarities with other message size manipulation exploits where unexpected data sizes are leveraged to bypass security controls.
CVE-2024-27304 was publicly disclosed on March 14, 2024. Its severity is classified as CRITICAL with a CVSS score of 9.8. As of this writing, the vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are currently unavailable, but the critical nature of the vulnerability suggests a high probability of exploitation if a PoC is released. Monitor security advisories and threat intelligence feeds for updates.
Applications written in Go that utilize the github.com/jackc/pgproto3/v2 library to interact with PostgreSQL databases are at risk. This includes applications using this library as a dependency, particularly those that handle user-supplied data directly in SQL queries without proper sanitization. Projects relying on older, unmaintained versions of the library are especially vulnerable.
• go: Inspect dependencies for versions of github.com/jackc/pgproto3/v2 prior to 2.3.3 using go list -m all.
go list -m all | grep github.com/jackc/pgproto3/v2• go: Examine application code for usage of github.com/jackc/pgproto3/v2 and potential areas where large queries or bind messages are constructed.
• generic web: Monitor PostgreSQL logs for unusually large query or bind messages. Look for errors related to message size limits.
• generic web: Implement WAF rules to detect and block SQL queries exceeding a predefined size limit.
disclosure
patch
Exploit-Status
EPSS
1.93% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-27304 is to immediately upgrade to version 2.3.3 or later of the github.com/jackc/pgproto3/v2 library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, input validation and sanitization on the application side can help prevent oversized messages from being sent to the database. Additionally, consider implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL queries. Monitor PostgreSQL logs for unusual activity or error messages related to message sizes. After upgrading, confirm the fix by sending a large query and verifying that the message size calculation remains within expected bounds.
Actualice la biblioteca pgx a la versión 4.18.2 o superior, o a la versión 5.5.4 o superior. Esto corrige la vulnerabilidad de inyección SQL causada por un desbordamiento de enteros en el tamaño del mensaje del protocolo. Como alternativa, rechace entradas de usuario lo suficientemente grandes como para que un solo mensaje de consulta o enlace exceda los 4 GB.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-27304 is a critical SQL Injection vulnerability in the github.com/jackc/pgproto3/v2 library, allowing attackers to inject malicious SQL through oversized messages.
You are affected if your Go application uses github.com/jackc/pgproto3/v2 versions prior to 2.3.3 and interacts with a PostgreSQL database.
Upgrade to version 2.3.3 or later of github.com/jackc/pgproto3/v2. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no public exploits are currently available, the vulnerability's critical nature suggests a high probability of exploitation if a PoC is released.
Refer to the GitHub repository for updates: https://github.com/jackc/pgproto3/releases
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.