PT-2024-4421 · Pypi+10 · Pymysql+10

Published

2024-05-21

Updated

2026-06-03

CVE-2024-36039

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PyMySQL versions 1.1.0 and earlier

Description The issue is related to the JSON Handler component of the PyMySQL library for Python, which does not properly escape keys using the escape dict procedure. This can allow a remote attacker to gain unauthorized access to data, tamper with data, or execute arbitrary code on the internal database server if untrusted JSON input is used. The exploitation of this issue can lead to SQL injection.

Recommendations For PyMySQL versions 1.1.0 and earlier, consider disabling the use of untrusted JSON input until a patch is available. As a temporary workaround, restrict the use of the escape dict function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALSA-2024:4244

ALSA-2024:4245

ALSA-2024:9193

ALSA-2024:9194

ALT-PU-2024-13321

AZL-43726

AZL-44457

BDU:2024-04920

CESA-2024_4244

CESA-2024_4245

CVE-2024-36039

DLA-3822-1

DSA-5700-1

GHSA-V9HF-5J83-6XPP

INFSA-2024_4244

INFSA-2024_4245

INFSA-2024_9193

INFSA-2024_9194

OESA-2024-1719

OPENSUSE-SU-2024:13993-1

OPENSUSE-SU-2024_1855-1

OPENSUSE-SU-2024_1925-1

RHSA-2024:4244

RHSA-2024:4245

RHSA-2024:9193

RHSA-2024:9194

RHSA-2024_4244

RHSA-2024_4245

RHSA-2024_9193

RHSA-2024_9194

RLSA-2024:9193

RLSA-2024:9194

SUSE-SU-2024:1855-1

SUSE-SU-2024:1925-1

USN-6801-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pymysql

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-4421 · Pypi+10 · Pymysql+10

CVE-2024-36039

Weakness Enumeration

Related Identifiers

Affected Products

References · 64