CVE-2024-27289 - SQL Injection Vulnerability in pgx PostgreSQL Driver Prior to v4.18.2, Affecting Go Applications

In this post, we will dive into an SQL injection vulnerability, identified as CVE-2024-27289, which was discovered in the pgx driver for PostgreSQL in Go applications. The vulnerability was present in versions prior to v4.18.2 and allowed attackers to perform an SQL injection attack under specific conditions. We'll explore the conditions for the exploit to occur, provide a code snippet of a vulnerable application, links to the original references and patches, and how to avoid the vulnerability by upgrading or workarounds.

A vulnerable code snippet example

package main

import (
    "github.com/jackc/pgx/v4"
    "log"
    "os"
)

func main() {
    conn, err := pgx.Connect(context.Background(), os.Getenv("DATABASE_URL"))
    if err != nil {
        log.Fatalf("unable to connect to database: %v\n", err)
    }
    defer conn.Close(context.Background())

    var id int
    var username string
    err = conn.QueryRow(context.Background(), "SELECT id, username FROM users WHERE id = $1 AND username = $2",
            -1, "admin").Scan(&id, &username)
    if err != nil {
        log.Fatalf("query error encountered: %v\n", err)
    } else {
        log.Printf("user id=%d, username=%s\n", id, username)
    }
}

In the code snippet above, if an attacker can control the values of the numeric and string placeholders, they can perform an SQL injection attack by exploiting the vulnerability in the simple protocol mode of the pgx driver.

References and Patches

The issue was reported in GitHub and has been addressed in the pgx v4.18.2 release. The patch can be found at the following link:

- pgx v4.18.2 Patch
- GitHub issue discussing the vulnerability

Workarounds and Recommendations

To protect your applications from this vulnerability, it is highly recommended to upgrade the pgx PostgreSQL driver for Go to version v4.18.2 or later. However, if upgrading is not immediately possible, there are some workarounds to minimize the risk:

1. Do not use the simple protocol mode in the pgx driver. The default extended protocol mode is not affected by this vulnerability.

Conclusion

This post has provided an in-depth look at the CVE-2024-27289 SQL injection vulnerability found in the pgx PostgreSQL driver for Go applications. It is important to keep your application's dependencies up-to-date to protect against vulnerabilities like these. By upgrading to the latest version of the pgx driver or implementing the suggested workarounds, you can protect your applications from this specific vulnerability.

Timeline

Published on: 03/06/2024 19:15:08 UTC
Last modified on: 03/06/2024 21:42:48 UTC