Bamboo SQL Injection when pgjdbc PreferQueryMode=SIMPLE
CVE-2024-1597 Published on February 19, 2024
pgjdbc SQL Injection via line comment generation
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Vulnerability Analysis
CVE-2024-1597 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2024-1597 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2024-1597
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-1597 are published in these products:
Affected Versions
pgjdbc:- Version < 42.7.2 is affected.
- Version < 42.6.1 is affected.
- Version < 42.5.5 is affected.
- Version < 42.4.4 is affected.
- Version < 42.3.9 is affected.
- Version < 42.2.28 is affected.
- Before 42.7.2 is affected.
- Before 42.6.1 is affected.
- Before 42.5.5 is affected.
- Before 42.4.4 is affected.
- Before 42.3.9 is affected.
- Before 42.2.28 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-1597
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.postgresql:postgresql | >= 42.7.0, < 42.7.2 | 42.7.2 |
| maven | org.postgresql:postgresql | >= 42.6.0, < 42.6.1 | 42.6.1 |
| maven | org.postgresql:postgresql | >= 42.5.0, < 42.5.5 | 42.5.5 |
| maven | org.postgresql:postgresql | >= 42.4.0, < 42.4.4 | 42.4.4 |
| maven | org.postgresql:postgresql | >= 42.3.0, < 42.3.9 | 42.3.9 |
| maven | org.postgresql:postgresql | < 42.2.28 | 42.2.28 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.