Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1ycm02LXd2ajctY3doMs4AAy63

sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service

Impact

The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).

Patches

This issues has been fixed in sqlparse 0.4.4.

Workarounds

None.

References

This issue was discovered and reported by GHSL team member @erik-krogh (Erik Krogh Kristensen).

Permalink: https://github.com/advisories/GHSA-rrm6-wvj7-cwh2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycm02LXd2ajctY3doMs4AAy63
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 24 days ago


CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-rrm6-wvj7-cwh2, CVE-2023-30608
References: Repository: https://github.com/andialbrecht/sqlparse
Blast Radius: 29.2

Affected Packages

pypi:sqlparse
Dependent packages: 429
Dependent repositories: 201,134
Downloads: 65,640,289 last month
Affected Version Ranges: >= 0.1.15, < 0.4.4
Fixed in: 0.4.4
All affected versions: 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.4.4, 0.5.0, 0.5.1, 0.5.2