GHSA-7jwh-3vrq-q3m8

Suggest an improvement
Source
https://github.com/advisories/GHSA-7jwh-3vrq-q3m8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7jwh-3vrq-q3m8
Aliases
Related
Published
2024-03-04T20:45:25Z
Modified
2024-10-22T05:29:01.941333Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
pgproto3 SQL Injection via Protocol Message Size Overflow
Details

Impact

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Patches

The problem is resolved in v2.3.3

Workarounds

Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-190",
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:45:25Z"
}
References

Affected packages

Go / github.com/jackc/pgproto3

Package

Name
github.com/jackc/pgproto3
View open source insights on deps.dev
Purl
pkg:golang/github.com/jackc/pgproto3

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.3

Go / github.com/jackc/pgproto3/v2

Package

Name
github.com/jackc/pgproto3/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/jackc/pgproto3/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.3