2 results (0.009 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. • https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS https://access.redhat.com/security/cve/CVE-2023-30608 https://bugzilla.redhat.com/show_bug.cgi?id=2187903 • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. • https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf https://access.redhat.com/security/cve/CVE-2021-32839 https://bugzilla.redhat.com/show_bug.cgi?id=2005072 • CWE-400: Uncontrolled Resource Consumption •