CVE-2021-32839 – sqlparse

Package

Manager: pip
Name: sqlparse
Vulnerable Version: >=0.4.0 <0.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00109 pctl0.29808

Details

StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) ### Impact The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. ### Patches The issues has been fixed in sqlparse 0.4.2. ### Workarounds Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the `sqlformat.format` function with keyword `strip_comments=True` or the `--strip-comments` command line flag when using the `sqlformat` command line tool. ### References This issue was discovered by GitHub team members @erik-krogh and @yoff. It was found using a [CodeQL](https://codeql.github.com/) query which identifies inefficient regular expressions. You can see the results of the query on python-sqlparse by following [this link](https://lgtm.com/query/2223658096471222354/). ### For more information If you have any questions or comments about this advisory: * Open an issue in [sqlparse issue tracker](https://github.com/andialbrecht/sqlparse/issues) * Email us at [albrecht.andi@gmail.com](mailto:albrecht.andi@gmail.com)

Metadata

Created: 2021-09-10T17:56:06Z
Modified: 2024-10-28T14:25:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-p5w8-wqhj-9hhf/GHSA-p5w8-wqhj-9hhf.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-p5w8-wqhj-9hhf
Finding: F002
Auto approve: 1