Vulnerability DatabaseCVE-2024-1597

CVE-2024-1597:
Java vulnerability analysis and mitigation

Overview

A critical SQL injection vulnerability (CVE-2024-1597) was discovered in the PostgreSQL JDBC Driver (pgjdbc) affecting versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28. The vulnerability exists when using the non-default connection property PreferQueryMode=SIMPLE, while the default mode remains unaffected (GitHub Advisory, NVD).

Technical details

The vulnerability occurs when specific conditions are met: a placeholder for a numeric value must be immediately preceded by a minus sign, and there must be a second placeholder for a string value after the first placeholder on the same line. When operating in simple query mode, the driver would inline the negative value of the first parameter, causing the resulting line to be treated as a SQL comment (--). This behavior extends to the beginning of the next parameter and causes the quoting of that parameter to be consumed by the comment line. The vulnerability has received a CVSS v3.1 base score of 9.8-10.0 CRITICAL (GitHub Advisory, PostgreSQL Advisory).

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass SQL injection protections, potentially leading to unauthorized data access, modification of data, or denial of service. The attacker can construct a matching string payload to alter the query, effectively bypassing the protections that parameterized queries typically provide against SQL injection attacks (NetApp Advisory, GitHub Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to the fixed versions: 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.28. For users who cannot immediately upgrade, the recommended workaround is to avoid using the connection property PreferQueryMode=SIMPLE, as the vulnerability does not affect the default query mode. The patch fixes the issue by forcing all parameters to be serialized as wrapped literals (GitHub Advisory, Enterprise DB).

Community reactions

Various organizations have responded to this vulnerability. Atlassian noted that while the vulnerability is critical in their Confluence dependency, their application's implementation presents a lower assessed risk. NetApp has conducted a comprehensive review of their product line to identify affected systems. Multiple Linux distributions, including Debian and Fedora, have released security updates to address this vulnerability (Debian LTS, Fedora Update).

Additional resources

Source: This report was generated using AI

9.8

Score

Published February 19, 2024

Severity CRITICAL

CNA Score 10.0

High-profile Vulnerability Yes

Affected Technologies

Java
Bamboo

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 36.8

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

trino
cpe:2.3:a:atlassian:bamboo

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Mar 24, 2024
- AlmaLinux 9 Severity HIGHHas FixAdded at: Mar 24, 2024
Alpine Security Tracker
- Alpine 3.19 Severity CRITICALHas FixAdded at: Apr 04, 2024
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Apr 03, 2024
Chainguard
- Chainguard Has FixAdded at: Feb 22, 2024
Debian Security Tracker
- Debian 10, 11, 12, 13 Severity CRITICALHas FixAdded at: Feb 22, 2024
GitHub Advisory Database
- Maven Severity CRITICALHas FixAdded at: Feb 22, 2024
Red Hat Errata
- Red Hat 8, 9 Severity HIGHHas FixAdded at: Feb 28, 2024
Rocky Linux Product Errata
- Rocky 8 Severity HIGHHas FixAdded at: Apr 09, 2024
- Rocky 9 Severity HIGHHas FixAdded at: May 12, 2024
Wolfi
- Wolfi Has FixAdded at: Feb 22, 2024
NVD
- Linux Severity CRITICALHas FixAdded at: Mar 20, 2024
- Windows Severity CRITICALHas FixAdded at: Mar 20, 2024