-
Notifications
You must be signed in to change notification settings - Fork 293
/
GHSA-7jwh-3vrq-q3m8.json
136 lines (134 loc) · 3.21 KB
/
GHSA-7jwh-3vrq-q3m8.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
{
"schema_version": "1.4.0",
"id": "GHSA-7jwh-3vrq-q3m8",
"modified": "2024-03-14T21:46:07Z",
"published": "2024-03-04T20:45:25Z",
"aliases": [
],
"summary": "pgproto3 SQL Injection via Protocol Message Size Overflow",
"details": "### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v2.3.3\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n",
"severity": [
],
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jackc/pgproto3"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.3"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/jackc/pgproto3/v2"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.3"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/jackc/pgx/v4"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.2"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/jackc/pgx/v5"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.5.4"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"
},
{
"type": "WEB",
"url": "https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27304"
},
{
"type": "WEB",
"url": "https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"
},
{
"type": "WEB",
"url": "https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"
},
{
"type": "WEB",
"url": "https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"
},
{
"type": "WEB",
"url": "https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"
},
{
"type": "PACKAGE",
"url": "https://github.com/jackc/pgproto3"
}
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-89"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:45:25Z",
"nvd_published_at": null
}
}