Description
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- andialbrecht / sqlparse>= 0.1.15, < 0.4.4 – >= 0.1.15, < 0.4.4
References
- VENDOR_ADVISORYhttps://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
- PATCHhttps://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
- PATCHhttps://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
- MISChttps://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2023/05/msg00017.html