PT-2022-6566 · Unknown+12 · Sqlalchemy+14

Zzzeek

Published

2022-07-09

Updated

2025-12-03

CVE-2022-40023

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Sqlalchemy mako versions prior to 1.2.2

Description The issue is related to insufficient input validation when handling regular expressions in the Lexer class, which can be exploited by a remote attacker to launch a denial-of-service attack using specially crafted data. This affects not only Sqlalchemy mako but also babelplugin and linguaplugin.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Lexer class to parse regular expressions until a patch is available.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-185

Related Identifiers

ALSA-2023:2258

ALSA-2023:2893

ALT-PU-2022-2592

ALT-PU-2023-2061

ALT-PU-2023-5599

AZL-10892

BDU:2023-02444

CESA-2023_2893

CVE-2022-40023

DLA-3116-1

DLA-4393-1

GHSA-V973-FXGF-6XHP

INFSA-2023_2258

INFSA-2023_2893

MGASA-2022-0350

OESA-2023-1683

OPENSUSE-SU-2022_3979-1

OPENSUSE-SU-2024:13610-1

PYSEC-2022-260

RHSA-2023:2258

RHSA-2023:2893

RHSA-2023_2258

RHSA-2023_2893

SUSE-SU-2022:3700-1

SUSE-SU-2022:3701-1

SUSE-SU-2022:3979-1

SUSE-SU-2022_3979-1

USN-5625-1

USN-5625-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Sqlalchemy

Suse

Ubuntu

Babelplugin

Linguaplugin

Mako

PT-2022-6566 · Unknown+12 · Sqlalchemy+14

CVE-2022-40023

Weakness Enumeration

Related Identifiers

Affected Products

References · 64