CVE-2024-27289
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-27289
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27289.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-27289
- Aliases
- Downstream
- Related
- Published
- 2024-03-06T18:28:12Z
- Modified
- 2025-10-14T14:13:55.529241Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- pgx SQL Injection via Line Comment Creation
- Details
-
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
- References
Affected packages
Git / github.com/jackc/pgx
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jackc/pgx
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v2.*
v2.0.0
v2.1.0
v2.10.0
v2.11.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.9.0
v3.*
v3.0.0
v3.0.1
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v4.*
v4.0.0
v4.0.0-pre1
v4.0.0-pre2
v4.0.0-rc1
v4.0.0-rc2
v4.0.1
v4.1.0
v4.1.1
v4.1.2
v4.10.0
v4.10.1
v4.11.0
v4.12.0
v4.13.0
v4.14.0
v4.14.1
v4.15.0
v4.16.0
v4.16.1
v4.17.0
v4.17.1
v4.17.2
v4.18.0
v4.18.1
v4.2.0
v4.2.1
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.8.0
v4.8.1
v4.9.0
v4.9.1
v4.9.2