Published: 22/10/2009 Updated: 19/12/2009

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote malicious users to leverage escaping issues involving multibyte character encodings.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pygresql pygresql 3.8.1
pygresql pygresql 4.0

Steffen Joeris discovered that PyGreSQL 38 did not use PostgreSQL’s safe string and bytea functions in its own escaping functions As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences Because the safe functions require a database connecti ...

It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn() This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used The new function is called pg_escape_string(), which takes t ...

NVD-CWE-Other http://www.debian.org/security/2009/dsa-1911 http://www.osvdb.org/59028 http://secunia.com/advisories/37046 http://ubuntu.com/usn/usn-870-1 http://secunia.com/advisories/37654 https://usn.ubuntu.com/870-1/https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2009-2940

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect