Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnNGMtcmd2bS05NjRn

SQL Injection in pycsw

A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.

Permalink: https://github.com/advisories/GHSA-hg4c-rgvm-964g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnNGMtcmd2bS05NjRn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: 2 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Percentage: 0.00181
EPSS Percentile: 0.55501

Identifiers: GHSA-hg4c-rgvm-964g, CVE-2016-8640
References:

Repository: https://github.com/geopython/pycsw
Blast Radius: 18.6

Affected Packages

pypi:pycsw

Dependent packages: 2
Dependent repositories: 112
Downloads: 12,221 last month
Affected Version Ranges: >= 2.0.0, < 2.0.2, >= 1.10.0, < 1.10.5, < 1.8.6
Fixed in: 2.0.2, 1.10.5, 1.8.6
All affected versions: 1.4.0, 1.4.1, 1.4.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 2.0.0, 2.0.1
All unaffected versions: 1.8.6, 1.10.5, 2.0.2, 2.0.3, 2.2.0, 2.4.0, 2.4.1, 2.4.2, 2.6.0, 2.6.1