CVE-2024-1597 Overview
pgjdbc, the PostgreSQL JDBC Driver, allows an attacker to inject SQL if using PreferQueryMode=SIMPLE. This is not the default configuration, and the default mode does not present this vulnerability. The vulnerability occurs when a placeholder for a numeric value is immediately preceded by a minus sign. Additionally, there is a requirement for a second placeholder for a string value on the same line. By crafting an appropriate string payload, an attacker can inject SQL, bypassing the protections against SQL Injection attacks that are generally provided by parameterized queries.
Critical Impact
This vulnerability can be exploited remotely with no authentication required. It poses a high risk due to its critical severity score of 9.8.
Affected Products
- postgresql postgresql_jdbc_driver
- fedoraproject fedora
Discovery Timeline
- 2024-02-19 - CVE-2024-1597 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-1597
Vulnerability Analysis
This vulnerability is associated with the PostgreSQL JDBC Driver (pgjdbc). It manifests when using PreferQueryMode=SIMPLE, which reduces the protection that parameterized queries provide against SQL injection. The vulnerability arises from improper input validation in the construction of SQL queries. An attacker can manipulate input data to alter the SQL command's logic.
Root Cause
The root cause is improper validation of input placeholders in mode PreferQueryMode=SIMPLE, which allows SQL injection.
Attack Vector
The attack vector is Network, meaning an attacker can exploit this vulnerability remotely without any prior access to the system.
-- Example exploitation code (sanitized)
SELECT * FROM users WHERE id = ? AND name = ?;
-- Malicious input could alter the query to
SELECT * FROM users WHERE id = -1 OR 1=1; -- AND name = '';
Detection Methods for CVE-2024-1597
Indicators of Compromise
- Anomalous SQL queries in logs
- Usage of special characters in input fields
- Inclusion of comment markers (--) in SQL queries
Detection Strategies
Detection involves monitoring SQL logs for suspicious patterns that deviate from regular query structures. Unusual use of operators, comments, or logical operations should be reviewed.
Monitoring Recommendations
Implement SQL query logging and alerting using IDS/IPS systems capable of detecting SQL injection attempts. Configure verbose logging settings to immediately flag unusual SQL behavior.
How to Mitigate CVE-2024-1597
Immediate Actions Required
- Switch from PreferQueryMode=SIMPLE to a safer mode
- Apply the latest security patches released by PostgreSQL
- Implement input validation and sanitation properly
Patch Information
Security patches have been released in versions 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 of the PostgreSQL JDBC Driver. Upgrading to these or later versions will mitigate the vulnerability.
Workarounds
Until a patch is applied, use safer parameterization methods and validate all inputs to ensure they meet the expected formats and lengths. Avoid using PreferQueryMode=SIMPLE where possible.
# Configuration example
# Ensure jdbc connection does not use SIMPLE mode
jdbc:postgresql://host:port/database?preferQueryMode=extended
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
