Bug 2005072 (CVE-2021-32839) - CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments filter
Summary: CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-32839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2005178 2012131 2012132 2015634 2005074 2005951 2006250
Blocks: 2005075
TreeView+ depends on / blocked
 
Reported: 2021-09-16 17:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-05 14:26 UTC (History)
46 users (show)

Fixed In Version: sqlparse 0.4.2
Doc Type: If docs needed, set a value
Doc Text:
A resource-consumption flaw was found in python-sqlparse. The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause the system to hang.
Clone Of:
Environment:
Last Closed: 2021-11-01 01:52:20 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:26:53 UTC

Description Guilherme de Almeida Suckevicz 2021-09-16 17:07:54 UTC
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.

Reference:
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf

Comment 1 Guilherme de Almeida Suckevicz 2021-09-16 17:08:17 UTC
Created python-sqlparse tracking bugs for this issue:

Affects: fedora-all [bug 2005074]

Comment 3 Summer Long 2021-09-17 02:53:33 UTC
Created python-sqlparse tracking bugs for this issue:

Affects: openstack-rdo [bug 2005178]

Comment 10 errata-xmlrpc 2022-07-05 14:26:50 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498


Note You need to log in before you can comment on or make changes to this bug.