CVE-2024-27289

{"id": "CVE-2024-27289", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2024-03-06T19:15:08.140", "references": [{"url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.\n"}, {"lang": "es", "value": "pgx es un controlador PostgreSQL y un conjunto de herramientas para Go. Antes de la versi\u00f3n 4.18.2, la inyecci\u00f3n SQL puede ocurrir cuando se cumplen todas las condiciones siguientes: se utiliza el protocolo simple no predeterminado; un marcador de posici\u00f3n para un valor num\u00e9rico debe ir precedido inmediatamente de un signo menos; debe haber un segundo marcador de posici\u00f3n para un valor de cadena despu\u00e9s del primer marcador de posici\u00f3n; ambos deben estar en la misma l\u00ednea; y ambos valores de par\u00e1metros deben ser controlados por el usuario. El problema se resuelve en v4.18.2. Como soluci\u00f3n alternativa, no utilice el protocolo simple ni coloque un signo menos directamente antes de un marcador de posici\u00f3n."}], "lastModified": "2025-12-11T15:45:33.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "A544EDA8-8EF2-407D-8534-2AF89534F7AC", "versionEndExcluding": "4.18.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}