Inefficient Regular Expression Complexity Affecting python-sqlparse package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL9-PYTHONSQLPARSE-5426553
- published 19 Apr 2023
- disclosed 19 Apr 2023
Introduced: 19 Apr 2023
CVE-2023-30608 Open this link in a new tabHow to fix?
There is no fixed version for RHEL:9 python-sqlparse.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-sqlparse package and not the python-sqlparse package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f. Users are advised to upgrade. There are no known workarounds for this issue.
References
- https://access.redhat.com/security/cve/CVE-2023-30608
- https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
- https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
- https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
- https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS