Bug 2005072 (CVE-2021-32839)
| Summary: | CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments filter | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apevec, bbuckingham, bcoca, bcourt, bkearney, btotty, caswilli, chousekn, cmeyers, davidn, dbecker, dmalcolm, ehelms, gblomqui, hhorak, jcammara, jhardy, jjoyce, jobarker, jschluet, jsherril, jwong, kaycoth, lhh, lpeer, lzap, mabashia, mburns, me, mhulan, mmccune, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, rchan, relrod, rhos-maint, rpetrell, sclewis, sdoran, slinaber, smcdonal, tkuratom |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sqlparse 0.4.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A resource-consumption flaw was found in python-sqlparse. The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause the system to hang.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-01 01:52:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2012131, 2012132, 2015634, 2005074, 2005178, 2005951, 2006250 | ||
| Bug Blocks: | 2005075 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-09-16 17:07:54 UTC
Created python-sqlparse tracking bugs for this issue: Affects: fedora-all [bug 2005074] Upstream commit: https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb Created python-sqlparse tracking bugs for this issue: Affects: openstack-rdo [bug 2005178] This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498 |