sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerable Library - sqlparse-0.4.3-py3-none-any.whl
A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/dj-nexmo
Path to vulnerable library: /tmp/ws-scm/dj-nexmo
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-4340
### Vulnerable Library - sqlparse-0.4.3-py3-none-any.whlA non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/dj-nexmo
Path to vulnerable library: /tmp/ws-scm/dj-nexmo
Dependency Hierarchy: - :x: **sqlparse-0.4.3-py3-none-any.whl** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Publish Date: 2024-04-30
URL: CVE-2024-4340
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-4340
Release Date: 2024-04-30
Fix Resolution: sqlparse - 0.5.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-30608
### Vulnerable Library - sqlparse-0.4.3-py3-none-any.whlA non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/dj-nexmo
Path to vulnerable library: /tmp/ws-scm/dj-nexmo
Dependency Hierarchy: - :x: **sqlparse-0.4.3-py3-none-any.whl** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailssqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2023-04-18
URL: CVE-2023-30608
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
Release Date: 2023-04-18
Fix Resolution: 0.4.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.