From 443b26499817e2a57fa550e54db4f0b2b5f07eb2 Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Thu, 12 Sep 2024 21:57:41 +0000 Subject: [PATCH] data/reports: update GO-2024-2605 - data/reports/GO-2024-2605.yaml Updates golang/vulndb#2605 Updates golang/go#69392 Change-Id: Ib684227e0cae0c5ca7183a99753d09a39d250b2e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/612856 Reviewed-by: Tatiana Bradley LUCI-TryBot-Result: Go LUCI Auto-Submit: Zvonimir Pavlinovic --- data/osv/GO-2024-2605.json | 27 +++++++++++++++++++++++++++ data/reports/GO-2024-2605.yaml | 8 ++++++++ 2 files changed, 35 insertions(+) diff --git a/data/osv/GO-2024-2605.json b/data/osv/GO-2024-2605.json index e3e6632a..0b17dee9 100644 --- a/data/osv/GO-2024-2605.json +++ b/data/osv/GO-2024-2605.json @@ -10,6 +10,33 @@ "summary": "SQL injection in github.com/jackc/pgx/v4", "details": "SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.", "affected": [ + { + "package": { + "name": "github.com/jackc/pgx", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/jackc/pgx/internal/sanitize", + "symbols": [ + "Query.Sanitize", + "SanitizeSQL" + ] + } + ] + } + }, { "package": { "name": "github.com/jackc/pgx/v4", diff --git a/data/reports/GO-2024-2605.yaml b/data/reports/GO-2024-2605.yaml index 375dec6d..97dca78f 100644 --- a/data/reports/GO-2024-2605.yaml +++ b/data/reports/GO-2024-2605.yaml @@ -1,5 +1,13 @@ id: GO-2024-2605 modules: + - module: github.com/jackc/pgx + vulnerable_at: 3.6.2+incompatible + packages: + - package: github.com/jackc/pgx/internal/sanitize + symbols: + - Query.Sanitize + derived_symbols: + - SanitizeSQL - module: github.com/jackc/pgx/v4 versions: - fixed: 4.18.2