CVE-2024-27289
CVSS 3.1 Score 8.1 of 10 (high)
Details
Published Mar 6, 2024
CWE ID 89
Summary
CVE-2024-27289 is a new vulnerability affecting the pgx library, a PostgreSQL driver and toolkit for Go. This issue allows SQL injection when the non-default simple protocol is used, a numeric placeholder is preceded by a minus, and both the numeric and string placeholders appear on the same line with user-controlled values. The vulnerability can be exploited to execute arbitrary SQL queries. The vulnerability is resolved in version 4.18.2. A workaround is to avoid using the simple protocol or to not place a minus directly before a placeholder.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share