U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-1597

Change History

New CVE Received from PostgreSQL 2/19/2024 8:15:07 AM

Action Type Old Value New Value
Added Description

								
							
							
						
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.
Added CVSS V3.1

								
							
							
						
PostgreSQL AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Added CWE

								
							
							
						
PostgreSQL CWE-89
Added Reference

								
							
							
						
PostgreSQL https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56 [No types assigned]