GHSA-rrm6-wvj7-cwh2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrm6-wvj7-cwh2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-rrm6-wvj7-cwh2/GHSA-rrm6-wvj7-cwh2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rrm6-wvj7-cwh2
- Aliases
- Published
- 2023-04-21T20:24:21Z
- Modified
- 2024-10-28T14:43:37.505799Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
- Details
-
Impact
The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).
Patches
This issues has been fixed in sqlparse 0.4.4.
Workarounds
None.
References
This issue was discovered and reported by GHSL team member @erik-krogh (Erik Krogh Kristensen). - Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a
- References
-
- https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
- https://nvd.nist.gov/vuln/detail/CVE-2023-30608
- https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
- https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
- https://github.com/andialbrecht/sqlparse
- https://github.com/pypa/advisory-database/tree/main/vulns/sqlparse/PYSEC-2023-87.yaml
- https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
Affected packages
PyPI / sqlparse
Package
- Name
- sqlparse
- View open source insights on deps.dev
- Purl
- pkg:pypi/sqlparse