CVE-2024-27289 (High) detected in github.com/Jackc/pgx/v5-v5.5.2 - autoclosed

[mend-bolt-for-github]

CVE-2024-27289 - High Severity Vulnerability

Vulnerable Library - github.com/Jackc/pgx/v5-v5.5.2

PostgreSQL driver and toolkit for Go

Library home page: https://proxy.golang.org/github.com/!jackc/pgx/v5/@v/v5.5.2.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/Jackc/pgx/v5-v5.5.2 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.

Publish Date: 2024-03-06

URL: CVE-2024-27289

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m7wr-2xf7-cm9p

Release Date: 2024-03-06

Fix Resolution: v4.18.2,v5.5.4

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.