CVE-2024-1597
CRITICAL EXPLOITEDPostgreSQL JDBC Driver < 42.2.28 - SQL Injection via PreferQueryMode=SIMPLE
Title source: llmExploitation Summary
CVE-2024-1597 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
References (9)
Core 9
Core References
Various Sources
https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
Third Party Advisory
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
Third Party Advisory
https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240419-0008/
Scores
CVSS v3
10.0
EPSS
0.0035
EPSS Percentile
57.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2024-10-30
CWE
CWE-89
Status
published
Products (3)
fedoraproject/fedora
40
org.postgresql/postgresql
0 - 42.2.28Maven
postgresql/postgresql_jdbc_driver
< 42.2.28
Published
Feb 19, 2024
Tracked Since
Feb 18, 2026