CVE-2016-8640 – pycsw

Package

Manager: pip
Name: pycsw
Vulnerable Version: >=2.0.0 <2.0.2 || >=0 <1.8.6 || >=1.10.0 <1.10.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0095 pctl0.75467

Details

SQL Injection in pycsw A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.

Metadata

Created: 2018-08-15T20:02:53Z
Modified: 2024-10-21T20:20:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-hg4c-rgvm-964g/GHSA-hg4c-rgvm-964g.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-hg4c-rgvm-964g
Finding: F297
Auto approve: 1