1. About the Vulnerability
| Vulnerability Name |
SQL Injection Vulnerability in PostgreSQL JDBC Driver (CVE-2024-1597) |
|---|---|
| Release Date |
February 22, 2024 |
| Component Name |
PostgreSQL JDBC Driver |
| Affected Versions |
42.7.0 ≤ PostgreSQL JDBC Driver < 42.7.2 |
| Vulnerability Type |
SQL Injection |
| Severity |
CVSS v3 Base Score: 10.0 (Critical) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2024-1597
2.1 About the Component
PostgreSQL is a powerful, open-source object-relational database system known for its reliability, robustness, and performance. PostgreSQL handles various workloads, from small applications to large online applications and data warehouses.
The PostgreSQL JDBC Driver is a software component that enables Java applications to interact with PostgreSQL databases using the Java Database Connectivity (JDBC) API.
2.2 About the Vulnerability
On February 22, 2024, Sangfor FarSight Labs received notification of the SQL injection vulnerability (CVE-2024-1597) in the PostgreSQL JDBC driver, classified as critical (CVSS Score 10.0) by PostgreSQL.
The vulnerability is caused by incorrect placeholders when the PreferQueryMode parameter is set to SIMPLE in PostgreSQL. Attackers can exploit the vulnerability by crafting malicious code to carry out SQL injection attacks without authorization, leading to the leakage of sensitive information from the server or the execution of arbitrary code.
3. Affected Versions
42.7.0 ≤ PostgreSQL JDBC Driver < 42.7.2
42.6.0 ≤ PostgreSQL JDBC Driver < 42.6.1
42.5.0 ≤ PostgreSQL JDBC Driver < 42.5.5
42.4.0 ≤ PostgreSQL JDBC Driver < 42.4.4
42.3.0 ≤ PostgreSQL JDBC Driver < 42.3.9
PostgreSQL JDBC Driver < 42.2.8
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
PostgreSQL has released new versions of the PostgreSQL JDBC driver, and affected users are strongly recommended to update to the new versions to fix the vulnerability. For more information, visit https://jdbc.postgresql.org/download/
5. Timeline
On February 22, 2024, Sangfor FarSight Labs received notification of the SQL injection vulnerability (CVE-2024-1597) in the PostgreSQL JDBC driver.
On February 22, 2024, Sangfor FarSight Labs released a vulnerability alert.
6. References
https://github.com/advisories/GHSA-24rp-q3w6-vc56
https://nvd.nist.gov/vuln/detail/CVE-2024-1597
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
