Fluid Attacks Database

Description

pgproto3 SQL Injection via Protocol Message Size Overflow

Impact

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Patches

The problem is resolved in v2.3.3

Workarounds

Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/jackc/pgproto3	>=0 <2.3.3	2.3.3
go	github.com/jackc/pgproto3/v2	>=0 <2.3.3	2.3.3
go	github.com/jackc/pgx/v4	>=0 <4.18.2	4.18.2
go	github.com/jackc/pgx/v5	>=5.0.0 <5.5.4	5.5.4

Aliases

1. NVD-2024-273042. GHSA-7jwh-3vrq-q3m83. GHSA-mrww-27vc-gghv4. GCVE-GHSA-7jwh-3vrq-q3m85. GHSA-7jwh-3vrq-q3m8

References

1. https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m82. https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv3. https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca0074. https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd45. https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd86. https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df7. https://nvd.nist.gov/vuln/detail/CVE-2024-273048. https://github.com/jackc/pgproto3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.