CVE-2023-30608

Name
CVE-2023-30608
Description
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
MISC https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
MISC https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
MISC https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
MISC https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:sqlparse_project:sqlparse:*:*:*:*:*:python:*:* py3-sqlparse >= 0.1.15 <= 0.4.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-sqlparse 3.17-community 0.4.3-r0 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
py3-sqlparse 3.18-community 0.4.4-r1 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
py3-sqlparse 3.19-community 0.4.4-r1 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
py3-sqlparse edge-community 0.4.4-r2 Thomas Boerger <thomas@webhippie.de> possibly vulnerable