CVE-2024-27304
moderate-risk
Published 2024-03-06
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
Do I need to act?
~
1.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 945c2126f6db8f3bea7eeebe307c01fe92bca007, 14690df4c533758df97f7cc561cb9062155045c6, da6f2c98f2664b215b40b1606551fdfcc7f3ea5c
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
Pgproto3
Pgx
Affected Vendors
References (13)
Press/Media Coverage
https://www.youtube.com/watch?v=Tfg1B8u1yvE
44
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
5/34 · Minimal
Exposure
7/34 · Low