hackariens / django

Templates pour la création d'un nouveau projet django
2 stars 0 forks source link

sqlparse-0.4.1-py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) - autoclosed #103

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl

Path to dependency file: /apps/requirements.txt

Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt

Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sqlparse version) Remediation Available
CVE-2021-32839 High 7.5 sqlparse-0.4.1-py3-none-any.whl Direct 0.4.2
WS-2021-0369 High 7.5 sqlparse-0.4.1-py3-none-any.whl Direct 0.4.2

Details

CVE-2021-32839 ### Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl

Path to dependency file: /apps/requirements.txt

Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt

Dependency Hierarchy: - :x: **sqlparse-0.4.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51

Found in base branch: develop

### Vulnerability Details

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.

Publish Date: 2021-09-20

URL: CVE-2021-32839

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf

Release Date: 2021-09-20

Fix Resolution: 0.4.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0369 ### Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl

Path to dependency file: /apps/requirements.txt

Path to vulnerable library: /apps/requirements.txt,/apps/requirements.txt

Dependency Hierarchy: - :x: **sqlparse-0.4.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 488419ecc92d95ee52327b0d6f7edab57b512b51

Found in base branch: develop

### Vulnerability Details

StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.

Publish Date: 2021-09-10

URL: WS-2021-0369

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-p5w8-wqhj-9hhf

Release Date: 2021-09-10

Fix Resolution: 0.4.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.