UBUNTU-CVE-2024-27304

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-27304

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-27304

Related

CVE-2024-27304

Published

2024-03-06T19:15:00Z

Modified

2024-10-15T14:14:03Z

Summary

[none]

Details

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

References

Affected packages

Ubuntu:22.04:LTS / golang-github-jackc-pgx

Package

Name: golang-github-jackc-pgx
Purl: pkg:deb/ubuntu/golang-github-jackc-pgx?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.2-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / golang-github-jackc-pgproto3

Package

Name: golang-github-jackc-pgproto3
Purl: pkg:deb/ubuntu/golang-github-jackc-pgproto3?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / golang-github-jackc-pgx

Package

Name: golang-github-jackc-pgx
Purl: pkg:deb/ubuntu/golang-github-jackc-pgx?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.18.1-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / golang-github-jackc-pgproto3

Package

Name: golang-github-jackc-pgproto3
Purl: pkg:deb/ubuntu/golang-github-jackc-pgproto3?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.0-2

2.3.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / golang-github-jackc-pgx

Package

Name: golang-github-jackc-pgx
Purl: pkg:deb/ubuntu/golang-github-jackc-pgx?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.15.0-4

4.18.1-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}