Bug 2187903 (CVE-2023-30608)

Summary: CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, apevec, bbuckingham, bcourt, cwelton, davidn, dfreiber, eglynn, ehelms, epacific, gtanzill, jburrell, jcammara, jhardy, jjoyce, jneedle, jobarker, jsherril, kshier, lhh, lzap, mabashia, mburns, mgarciac, mhulan, mminar, myarboro, nmoumoul, orabin, osapryki, pcreech, rbiba, rchan, rhos-maint, rogbas, simaishi, smcdonal, spower, sskracic, stcannon, teagle, tfister, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-sqlparse 0.4.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-09 19:11:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187907, 2187906, 2187908, 2187909, 2187910, 2187911, 2189189    
Bug Blocks: 2187904    

Description Avinash Hanwate 2023-04-19 05:37:48 UTC 
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.


https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
Comment 1 Avinash Hanwate 2023-04-19 05:59:35 UTC 
Created python-sqlparse tracking bugs for this issue:

Affects: epel-all [bug 2187907]
Affects: fedora-all [bug 2187906]
Affects: openstack-rdo [bug 2187911]
Comment 8 errata-xmlrpc 2023-08-09 14:17:55 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:4591 https://access.redhat.com/errata/RHSA-2023:4591
Comment 9 Product Security DevOps Team 2023-08-09 19:11:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-30608
Comment 10 errata-xmlrpc 2023-11-08 14:17:19 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818