MGASA-2024-0120

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2024-0120.html

Import Source

https://advisories.mageia.org/MGASA-2024-0120.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2024-0120

Related

CVE-2024-1597

Published

2024-04-11T23:58:49Z

Modified

2024-04-11T23:43:38Z

Summary

Updated postgresql-jdbc packages fix security vulnerability

Details

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. (CVE-2024-1597)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / postgresql-jdbc

Package

Name: postgresql-jdbc
Purl: pkg:rpm/mageia/postgresql-jdbc?distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.5.6-1.mga9

Ecosystem specific

{
    "section": "core"
}