High severity8.1NVD Advisory· Published Mar 6, 2024· Updated May 21, 2026
CVE-2024-27289
CVE-2024-27289
Description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jackc/pgxGo | < 4.18.2 | 4.18.2 |
github.com/jackc/pgx/v4Go | < 4.18.2 | 4.18.2 |
Affected products
71- osv-coords69 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-cli-fipspkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-controller-compat-fipspkg:apk/chainguard/argo-workflow-controller-fipspkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflow-executor-compat-fipspkg:apk/chainguard/argo-workflow-executor-fipspkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-fipspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-known-hosts-fipspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/caddy-manpkg:apk/chainguard/caddy-srcpkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/steppkg:apk/chainguard/step-capkg:apk/chainguard/telegraf-1.26pkg:apk/chainguard/telegraf-1.27pkg:apk/chainguard/telegraf-1.28pkg:apk/chainguard/telegraf-1.29pkg:apk/chainguard/telegraf-1.30pkg:apk/chainguard/trillianpkg:apk/chainguard/trillian-fipspkg:apk/chainguard/trillian-fips-logserverpkg:apk/chainguard/trillian-fips-logsignerpkg:apk/chainguard/trillian-logserverpkg:apk/chainguard/trillian-logsignerpkg:apk/chainguard/vault-1.13pkg:apk/chainguard/vault-1.13-compatpkg:apk/chainguard/vault-1.13-entrypointpkg:apk/chainguard/wavefront-collector-for-kubernetes-1.12pkg:apk/chainguard/wavefront-collector-for-kubernetes-1.13pkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/caddypkg:apk/wolfi/caddy-manpkg:apk/wolfi/caddy-srcpkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/steppkg:apk/wolfi/step-capkg:apk/wolfi/telegraf-1.26pkg:apk/wolfi/telegraf-1.27pkg:apk/wolfi/telegraf-1.28pkg:apk/wolfi/telegraf-1.29pkg:apk/wolfi/telegraf-1.30pkg:apk/wolfi/trillianpkg:apk/wolfi/trillian-logserverpkg:apk/wolfi/trillian-logsignerpkg:apk/wolfi/vault-1.13pkg:apk/wolfi/vault-1.13-compatpkg:apk/wolfi/vault-1.13-entrypointpkg:golang/github.com/jackc/pgxpkg:golang/github.com/jackc/pgx/v4
< 3.5.5-r3+ 68 more
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r1
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 0.28.6-r0
- (no CPE)range: < 0.25.2-r5
- (no CPE)range: < 1.26.3-r14
- (no CPE)range: < 1.27.4-r16
- (no CPE)range: < 1.28.5-r8
- (no CPE)range: < 1.29.5-r4
- (no CPE)range: < 1.30.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.12.1-r9
- (no CPE)range: < 1.13.0-r9
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 0.28.6-r0
- (no CPE)range: < 0.25.2-r5
- (no CPE)range: < 1.26.3-r14
- (no CPE)range: < 1.27.4-r16
- (no CPE)range: < 1.28.5-r8
- (no CPE)range: < 1.29.5-r4
- (no CPE)range: < 1.30.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 4.18.2
- (no CPE)range: < 4.18.2
Patches
Vulnerability mechanics
References
6- github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81dfnvdPatchWEB
- github.com/advisories/GHSA-m7wr-2xf7-cm9pghsaADVISORY
- github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9pnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27289ghsaADVISORY
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/nvdThird Party Advisory
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flawghsaWEB
News mentions
0No linked articles in our index yet.