CVE-2021-32839

EPSS 0.11%
Published 20.09.2021 17:15:09
Last modified 21.11.2024 06:07:51
Source security-advisories@github.com
Teams watchlist Login
Open Login

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Sqlparse Project ≫ Sqlparse Version >= 0.4.0 < 0.4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.298

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb

Patch

Third Party Advisory

https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32839

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32839

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32839

EUVD