Описание
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
A flaw was found in pgx. SQL injection can occur when all of the following conditions are met in versions before 4.18.2 of pgx.
- The non-default simple protocol is used
- A placeholder for a numeric value must be immediately preceded by a minus
- There must be a second placeholder for a string value after the first placeholder
- Both must be on the same line
- Both parameter values must be user-controlled
Меры по смягчению последствий
A possible mitigation is to not use the simple protocol or do not place a minus directly before a placeholder.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multicluster Engine for Kubernetes | multicluster-engine/agent-service-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-agent-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-reporter-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-rhel8 | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-search-indexer-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-search-v2-api-rhel9 | Not affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-central-db-rhel8 | Out of support scope | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Will not fix | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-rhel8-operator | Out of support scope | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-roxctl-rhel8 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2 ...
8.1 High
CVSS3