PYSEC-2023-87

Vulnerability from pysec - Published: 2023-04-18 22:15 - Updated: 2023-06-14 20:24
VLAI?
Details

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f. Users are advised to upgrade. There are no known workarounds for this issue.

Impacted products
Name purl
sqlparse pkg:pypi/sqlparse
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sqlparse",
        "purl": "pkg:pypi/sqlparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c457abd5f097dd13fb21543381e7cfafe7d31cfb"
            },
            {
              "fixed": "e75e35869473832a1eb67772b1adfee2db11b85a"
            }
          ],
          "repo": "https://github.com/andialbrecht/sqlparse",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0.1.15"
            },
            {
              "fixed": "0.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.3.0",
        "0.3.1",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30608",
    "GHSA-rrm6-wvj7-cwh2"
  ],
  "details": "sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.\n",
  "id": "PYSEC-2023-87",
  "modified": "2023-06-14T20:24:17.342510Z",
  "published": "2023-04-18T22:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
    },
    {
      "type": "FIX",
      "url": "https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb"
    },
    {
      "type": "FIX",
      "url": "https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.