Postgres version vulnerability

Issue date: 02-10-2024
Affects versions: 15.6, 15.5, 15.4, 15.2, 15.1

Security Issue ID

SECURITY-546

Affected Product Version(s)

15.6.0, 14.7.20 (and previous patch releases)

Severity

High

Description

CVE-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks.

CVSS v3 Base Score: 10.0

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 14.7.21, 15.7.0.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Postgres version vulnerability