Vulnerability Description
uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.
CVSS Score
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Uptrace | Pgdriver | 1.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/advisories/GHSA-h4h6-vccr-44h2
- https://github.com/uptrace/bun/blob/1573ae7c2fffad1a7f72fd2d205e924b2fd4043b/driProduct
- https://github.com/uptrace/bun/tree/master/driver/pgdriverProduct
- https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CONExploit
- https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injectiExploitThird Party Advisory
FAQ
What is CVE-2024-44906?
CVE-2024-44906 is a vulnerability with a CVSS score of 6.5 (MEDIUM). uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.
How severe is CVE-2024-44906?
CVE-2024-44906 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-44906?
Check the references section above for vendor advisories and patch information. Affected products include: Uptrace Pgdriver.