Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14djZ4LTQzZ3EtNGhmas3KKQ
PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection
PyGreSQL 3.8 did not use PostgreSQL’s safe string and bytea functions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, pg.escape_string() and pg.escape_bytea() are still available, but applications will have to be adjusted to use the new pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code containing:
import pg
connection = pg.connect(...)
escaped = pg.escape_string(untrusted_input)
should be adjusted to use:
import pg
connection = pg.connect(...)
escaped = connection.escape_string(untrusted_input)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djZ4LTQzZ3EtNGhmas3KKQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 3 months ago
Identifiers: GHSA-xv6x-43gq-4hfj, CVE-2009-2940
References:
- https://nvd.nist.gov/vuln/detail/CVE-2009-2940
- http://ubuntu.com/usn/usn-870-1
- http://www.debian.org/security/2009/dsa-1911
- https://github.com/PyGreSQL/PyGreSQL/commit/8e19320b130946eed6f043297e3e4e005a523612
- https://github.com/PyGreSQL/PyGreSQL/commit/f7237d773e6f4d5a7da3d99bb6bc5062bd07935e
- https://github.com/advisories/GHSA-xv6x-43gq-4hfj
Blast Radius: 0.0
Affected Packages
pypi:PyGreSQL
Dependent packages: 6Dependent repositories: 32
Downloads: 166,187 last month
Affected Version Ranges: = 4.0, <= 3.8.1
Fixed in: 4.1,
All affected versions: 3.8.1
All unaffected versions: 4.1.1, 4.2.1, 4.2.2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.6, 5.0.7, 5.1.1, 5.1.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 6.0.1