CVE-2024-1597 – pgjdbc SQL Injection via line comment generation

https://notcve.org/view.php?id=CVE-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. • http://www.openwall.com/lists/oss-security/2024/04/02/6 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56 https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU https://security.netapp.com/advisory/ntap-20240419-0008 https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes https://www.enterprisedb.com/docs/security/assessments/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •