sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0369
### Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl
StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl
A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl
Path to dependency file: /apps/requirements.txt
Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt
Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51
Vulnerabilities
Details
CVE-2021-32839
### Vulnerable Library - sqlparse-0.4.1-py3-none-any.whlA non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl
Path to dependency file: /apps/requirements.txt
Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt
Dependency Hierarchy: - :x: **sqlparse-0.4.1-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51
Found in base branch: develop
### Vulnerability Detailssqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
Publish Date: 2021-09-20
URL: CVE-2021-32839
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
Release Date: 2021-09-20
Fix Resolution: 0.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)WS-2021-0369
### Vulnerable Library - sqlparse-0.4.1-py3-none-any.whlA non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl
Path to dependency file: /apps/requirements.txt
Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt
Dependency Hierarchy: - :x: **sqlparse-0.4.1-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51
Found in base branch: develop
### Vulnerability DetailsStripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
Publish Date: 2021-09-10
URL: WS-2021-0369
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p5w8-wqhj-9hhf
Release Date: 2021-09-10
Fix Resolution: 0.4.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)