CVE-2024-1597
PostgreSQL Schwachstellenanalyse und -minderung

Überblick

A critical SQL injection vulnerability (CVE-2024-1597) was discovered in the PostgreSQL JDBC Driver (pgjdbc) affecting versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28. The vulnerability exists when using the non-default connection property PreferQueryMode=SIMPLE, while the default mode remains unaffected (GitHub Advisory, NVD).

Technische Details

The vulnerability occurs when specific conditions are met: a placeholder for a numeric value must be immediately preceded by a minus sign, and there must be a second placeholder for a string value after the first placeholder on the same line. When operating in simple query mode, the driver would inline the negative value of the first parameter, causing the resulting line to be treated as a SQL comment (--). This behavior extends to the beginning of the next parameter and causes the quoting of that parameter to be consumed by the comment line. The vulnerability has received a CVSS v3.1 base score of 9.8-10.0 CRITICAL (GitHub Advisory, PostgreSQL Advisory).

Aufprall

Successful exploitation of this vulnerability could allow an attacker to bypass SQL injection protections, potentially leading to unauthorized data access, modification of data, or denial of service. The attacker can construct a matching string payload to alter the query, effectively bypassing the protections that parameterized queries typically provide against SQL injection attacks (NetApp Advisory, GitHub Advisory).

Risikominderung und Problemumgehungen

The primary mitigation is to upgrade to the fixed versions: 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.28. For users who cannot immediately upgrade, the recommended workaround is to avoid using the connection property PreferQueryMode=SIMPLE, as the vulnerability does not affect the default query mode. The patch fixes the issue by forcing all parameters to be serialized as wrapped literals (GitHub Advisory, Enterprise DB).

Reaktionen der Community

Various organizations have responded to this vulnerability. Atlassian noted that while the vulnerability is critical in their Confluence dependency, their application's implementation presents a lower assessed risk. NetApp has conducted a comprehensive review of their product line to identify affected systems. Multiple Linux distributions, including Debian and Fedora, have released security updates to address this vulnerability (Debian LTS, Fedora Update).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt PostgreSQL Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-6638HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql16-pltcl
NeinJaMay 14, 2026
CVE-2026-6637HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql-15
NeinJaMay 14, 2026
CVE-2026-6479HIGH7.5
  • PostgreSQL logoPostgreSQL
  • postgresql15
NeinJaMay 14, 2026
CVE-2026-6478MEDIUM6.5
  • PostgreSQL logoPostgreSQL
  • postgresql16-server-devel-debuginfo
NeinJaMay 14, 2026
CVE-2026-6575MEDIUM4.3
  • PostgreSQL logoPostgreSQL
  • postgresql-10
NeinJaMay 14, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement