PT-2009-5288 · Pygresql · Pygresql

Steffen Joeris

Published

2009-10-22

Updated

2022-05-02

CVE-2009-2940

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: PyGreSQL versions 3.8.1 and 4.0

Description: The issue arises from improper support of the PQescapeStringConn function in the pygresql module, potentially allowing remote attackers to exploit escaping issues involving multibyte character encodings. This can lead to SQL injections when processing certain multi-byte character sequences. The problem is due to PyGreSQL not using PostgreSQL's safe string and bytea functions in its own escaping functions.

Recommendations: For PyGreSQL version 3.8.1, adjust applications to use the new connection.escape string() and connection.escape bytea() functions instead of pg.escape string() and pg.escape bytea(). For PyGreSQL version 4.0, adjust applications to use the new connection.escape string() and connection.escape bytea() functions instead of pg.escape string() and pg.escape bytea().

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-2940

DSA-1911-1

GHSA-XV6X-43GQ-4HFJ

PYSEC-2009-18

Affected Products

Pygresql

PT-2009-5288 · Pygresql · Pygresql

CVE-2009-2940

Weakness Enumeration

Related Identifiers

Affected Products

References · 15