Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/14996?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14996?format=api", "vulnerability_id": "VCID-rwwd-8qgf-f3ac", "summary": "Duplicate Advisory: SQL injection in pgjdbc\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-24rp-q3w6-vc56. This link is maintained to preserve external references.\n\n## Original Description\npgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.", "aliases": [ { "alias": "GHSA-xfg6-62px-cxc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52736?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7p16-8nb5-kucz" }, { "vulnerability": "VCID-hpc5-vtmd-gub5" }, { "vulnerability": "VCID-qub7-qp14-uqcg" }, { "vulnerability": "VCID-uzj4-puvz-zfgh" }, { "vulnerability": "VCID-vdtn-ek54-nqh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.2.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/52735?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.3.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/52734?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/52729?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/52724?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52718?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.7.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.7.2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44718?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4u-tem9-vkey" }, { "vulnerability": "VCID-7p16-8nb5-kucz" }, { "vulnerability": "VCID-ba8g-gn36-7bdp" }, { "vulnerability": "VCID-hpc5-vtmd-gub5" }, { "vulnerability": "VCID-qub7-qp14-uqcg" }, { "vulnerability": "VCID-rwwd-8qgf-f3ac" }, { "vulnerability": "VCID-uzj4-puvz-zfgh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/144311?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4u-tem9-vkey" }, { "vulnerability": "VCID-ba8g-gn36-7bdp" }, { "vulnerability": "VCID-qub7-qp14-uqcg" }, { "vulnerability": "VCID-rwwd-8qgf-f3ac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/144825?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4u-tem9-vkey" }, { "vulnerability": "VCID-qub7-qp14-uqcg" }, { "vulnerability": "VCID-rwwd-8qgf-f3ac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/145034?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4u-tem9-vkey" }, { "vulnerability": "VCID-rwwd-8qgf-f3ac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/145035?format=api", "purl": "pkg:maven/org.postgresql/postgresql@42.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4u-tem9-vkey" }, { "vulnerability": "VCID-rwwd-8qgf-f3ac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.postgresql/postgresql@42.7.0" } ], "references": [ { "reference_url": "https://github.com/pgjdbc/pgjdbc", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pgjdbc/pgjdbc" }, { "reference_url": "https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee" }, { "reference_url": "https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40" }, { "reference_url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0008" }, { "reference_url": "https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes" }, { "reference_url": "https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/04/02/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/04/02/6" }, { "reference_url": "https://github.com/advisories/GHSA-xfg6-62px-cxc2", "reference_id": "GHSA-xfg6-62px-cxc2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xfg6-62px-cxc2" } ], "weaknesses": [ { "cwe_id": 89, "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "description": "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "9.0 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rwwd-8qgf-f3ac" }