Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1ycm02LXd2ajctY3doMs4AAy63

sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service

Impact

The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).

Patches

This issues has been fixed in sqlparse 0.4.4.

Workarounds

None.

References

This issue was discovered and reported by GHSL team member @erik-krogh (Erik Krogh Kristensen).

• Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a

Permalink: https://github.com/advisories/GHSA-rrm6-wvj7-cwh2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycm02LXd2ajctY3doMs4AAy63
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 6 months ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-rrm6-wvj7-cwh2, CVE-2023-30608
References:

• https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
• https://nvd.nist.gov/vuln/detail/CVE-2023-30608
• https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
• https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
• https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html
• https://github.com/pypa/advisory-database/tree/main/vulns/sqlparse/PYSEC-2023-87.yaml
• https://github.com/advisories/GHSA-rrm6-wvj7-cwh2

Repository: https://github.com/andialbrecht/sqlparse
Blast Radius: 29.2

Affected Packages