Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2021-32839

Published: 20/09/2021 Updated: 29/09/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Sqlparse Project

Vulnerability Summary

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

sqlparse project sqlparse

Vendor Advisories

Red Hat: Moderate: Satellite 6.11 Release
Synopsis Moderate: Satellite 611 Release Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 611 Description Red Hat Satellite is a systems management tool for Linux-basedin ...
Debian CVElist Bug Report Logs: sqlparse: CVE-2021-32839
Debian Bug report logs - #994841 sqlparse: CVE-2021-32839 Package: src:sqlparse; Maintainer for src:sqlparse is Andrii Senkovych <andrii@senkovychcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 21 Sep 2021 19:06:02 UTC Severity: grave Tags: security, upstream Found in version sqlparse/041-1 ...
Red Hat: CVE-2021-32839
A resource-consumption flaw was found in python-sqlparse The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS) A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause t ...
Arch Linux Issues:
In python-sqlparse versions 040 and 041 there is a regular Expression Denial of Service in sqlparse vulnerability The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments Only the formatting feature that removes comments from SQL statements is affected by this regular expressi ...

Github Repositories

https://github.com/HeikkiLu/cybersecuritymooc-project1

https://cybersecuritybase.mooc.fi

Vulnerable blog application Cyber Security Base 2022 Project 1 Description A blogging application with login functionality Once logged in, users can create and publish blog posts, as well as post comments on existing posts Non-logged-in users can browse the available blog posts Installation NOTE: On MacOS you might need to refer to a specific python version, eg python3

References

CWE-400https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aebhttps://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhfhttps://access.redhat.com/errata/RHSA-2022:5498https://nvd.nist.govhttps://github.com/HeikkiLu/cybersecuritymooc-project1https://access.redhat.com/security/cve/cve-2021-32839
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895blind SQL injectionCVE-2024-5064CVE-2023-52677CVE-2023-52682CVE-2024-30051CVE-2024-35849remote attackersremote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook