CVE-2024-1597 - Security Vulnerability in pgjdbc: PostgreSQL JDBC Driver that allows SQL injection in non-default PreferQueryMode=SIMPLE

A new security vulnerability, CVE-2024-1597, has been discovered in the PostgreSQL JDBC Driver (pgjdbc). This vulnerability allows an attacker to inject malicious SQL code into applications using the PreferQueryMode=SIMPLE, which is not the default mode, potentially leading to unauthorized data access, data manipulation, or other malicious activities.

Affected Versions

Versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 of pgjdbc are affected by this vulnerability.

Vulnerability Details

To exploit this vulnerability, an attacker first needs to create a matching string payload that meets specific conditions: a placeholder for a numeric value must be immediately preceded by a minus (-); there must be a second placeholder for a string value after the first placeholder; and both placeholders must appear on the same line of code in the application.

For example, consider the following vulnerable code snippet

String sqlCommand = "SELECT * FROM users WHERE id=-?::bigint AND username=?::text";
PreparedStatement preparedStatement = connection.prepareStatement(sqlCommand);
preparedStatement.setInt(1, userId);
preparedStatement.setString(2, username);
ResultSet resultSet = preparedStatement.executeQuery();

In this code, the application uses two placeholders for a numeric value (userId) and a string value (username). Since this code snippet uses the PreferQueryMode=SIMPLE, it is susceptible to the CVE-2024-1597 vulnerability.

An attacker could potentially craft a malicious payload for the userid and username parameters that would allow them to inject additional SQL commands. This would bypass the protections provided by parameterized queries against SQL injection attacks.

To mitigate this vulnerability, it is recommended to either

1. Update the pgjdbc library to one of the fixed versions: 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.8.

Links to Original References

1. CVE-2024-1597
2. pgjdbc GitHub Repository
3. Security Advisory for CVE-2024-1597
4. pgjdbc fixed version download

Conclusion

In conclusion, it is essential to keep the pgjdbc library up-to-date and avoid using the non-default PreferQueryMode=SIMPLE configuration to protect applications against the CVE-2024-1597 vulnerability. By doing so, applications will be safeguarded from potential SQL injection attacks, ensuring that sensitive data remains secure and uncompromised.

Timeline

Published on: 02/19/2024 13:15:07 UTC
Last modified on: 03/25/2024 16:42:20 UTC