GHSA-rrm6-wvj7-cwh2

Suggest an improvement
Source
https://github.com/advisories/GHSA-rrm6-wvj7-cwh2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-rrm6-wvj7-cwh2/GHSA-rrm6-wvj7-cwh2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rrm6-wvj7-cwh2
Aliases
Published
2023-04-21T20:24:21Z
Modified
2024-10-28T14:43:37.505799Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
Details

Impact

The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).

Patches

This issues has been fixed in sqlparse 0.4.4.

Workarounds

None.

References

This issue was discovered and reported by GHSL team member @erik-krogh (Erik Krogh Kristensen). - Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a

Database specific
{
    "nvd_published_at": "2023-04-18T22:15:08Z",
    "cwe_ids": [
        "CWE-1333"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-21T20:24:21Z"
}
References

Affected packages

PyPI / sqlparse

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.1.15
Fixed
0.4.4

Affected versions

0.*

0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.4.0
0.4.1
0.4.2
0.4.3