PT-2021-6509 · Pypi+4 · Sqlparse+4

Erik-Krogh

Published

2021-09-10

Updated

2024-12-21

CVE-2021-32839

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions sqlparse versions 0.4.0 through 0.4.1

Description The issue is related to a regular Expression Denial of Service in the sqlparse module for Python. The regular expression may cause exponential backtracking on strings containing many repetitions of r in SQL comments. This affects the formatting feature that removes comments from SQL statements.

Recommendations For sqlparse versions 0.4.0 and 0.4.1, as a workaround, do not use the sqlformat.format function with keyword strip comments=True or the --strip-comments command line flag when using the sqlformat command line tool. For sqlparse versions 0.4.0 and 0.4.1, update to sqlparse 0.4.2 to fix the issue.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2021-3031

ALT-PU-2023-6568

ALT-PU-2024-8950

BDU:2022-01768

CVE-2021-32839

DLA-4000-1

GHSA-P5W8-WQHJ-9HHF

OPENSUSE-SU-2021:3857-1

OPENSUSE-SU-2021_3857-1

OPENSUSE-SU-2024:11581-1

OPENSUSE-SU-2024:13938-1

PYSEC-2021-333

RHSA-2022:5498

RLSA-2022:5498

SUSE-SU-2021:3857-1

SUSE-SU-2021_3857-1

USN-5085-1

Affected Products

Alt Linux

Rocky Linux

Suse

Ubuntu

Sqlparse

PT-2021-6509 · Pypi+4 · Sqlparse+4

CVE-2021-32839

Weakness Enumeration

Related Identifiers

Affected Products

References · 505