CVE-2024-27304 — CRITICAL (9.8)

Q: How severe is CVE-2024-27304?

CVE-2024-27304 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2024-27304?

Check the references section above for vendor advisories and patch information. Affected products include: Jackc Pgproto3, Jackc Pgx.

Vulnerability Description

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Jackc	Pgproto3	< 2.3.3
Jackc	Pgx	< 4.18.2

Related Weaknesses (CWE)

CWE-190 CWE-89

References

FAQ

What is CVE-2024-27304?

CVE-2024-27304 is a vulnerability with a CVSS score of 9.8 (CRITICAL). pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message siz...

How severe is CVE-2024-27304?

CVE-2024-27304 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-27304?

Check the references section above for vendor advisories and patch information. Affected products include: Jackc Pgproto3, Jackc Pgx.