CNNVD-202506-1685 Information
CNNVD ID
CNNVD-202506-1685
Related CVE
- CNNVD Published: 2025-06-12
Description (Chinese)
uptrace pgdriver是摩尔多瓦uptrace公司的一款Golang的扩展库。 uptrace pgdriver v1.2.1版本存在安全漏洞,该漏洞源于/pgdriver/format.go文件中appendArg函数未经验证,可能导致SQL注入攻击。
Description (English)
Uptrace pgdriver is an extension bank for Golang, a Moldovan company. There is a security loophole in version /pgdriver v1.2.1, which originates from the unverified AppendArg function in the /pgdriver/format.go file, which could lead to an SQL injection attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
uptrace
Published
2025-06-12
Last Modified
2026-02-24
References
https://github.com/advisories/GHSA-h4h6-vccr-44h2 https://github.com/uptrace/bun/tree/master/driver/pgdriver https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/ https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf https://github.com/uptrace/bun/blob/1573ae7c2fffad1a7f72fd2d205e924b2fd4043b/driver/pgdriver/format.go#L62 https://nvd.nist.gov/vuln/detail/CVE-2024-44906 https://access.redhat.com/security/cve/cve-2024-44906
Patch
https://github.com/uptrace/bun/releases
Share on: