{"id":"UBUNTU-CVE-2024-27304","details":"pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.","modified":"2026-05-20T16:08:57.009474003Z","published":"2024-03-06T19:15:00Z","upstream":["CVE-2024-27304"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-27304"},{"type":"REPORT","url":"https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"},{"type":"REPORT","url":"https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8"},{"type":"REPORT","url":"https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8"},{"type":"REPORT","url":"https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-27304"}],"affected":[{"package":{"name":"golang-github-jackc-pgx","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-github-jackc-pgx?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.6.2-2"],"ecosystem_specific":{"binaries":[{"binary_version":"3.6.2-2","binary_name":"golang-github-jackc-pgx-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgproto3","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/golang-github-jackc-pgproto3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.0-2","2.3.2-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.3.2-1","binary_name":"golang-github-jackc-pgproto3-v2-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgx","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/golang-github-jackc-pgx?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.15.0-4","4.18.1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.18.1-1","binary_name":"golang-github-jackc-pgx-v4-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgproto3","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-github-jackc-pgproto3?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.3.2-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.3.2-1","binary_name":"golang-github-jackc-pgproto3-v2-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgx","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-github-jackc-pgx?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.18.1-1","4.18.1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"4.18.1-2","binary_name":"golang-github-jackc-pgx-v4-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgproto3","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/golang-github-jackc-pgproto3?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.3.2-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.3.2-1","binary_name":"golang-github-jackc-pgproto3-v2-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}},{"package":{"name":"golang-github-jackc-pgx","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/golang-github-jackc-pgx?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.18.1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"4.18.1-2","binary_name":"golang-github-jackc-pgx-v4-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27304.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}