Bug 2187903 (CVE-2023-30608) - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
Summary: CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnera...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-30608
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2187907 2187911 2187906 2187908 2187909 2187910 2189189
Blocks: 2187904
TreeView+ depends on / blocked
 
Reported: 2023-04-19 05:37 UTC by Avinash Hanwate
Modified: 2023-11-08 14:17 UTC (History)
45 users (show)

Fixed In Version: python-sqlparse 0.4.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS).
Clone Of:
Environment:
Last Closed: 2023-08-09 19:11:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4591 0 None None None 2023-08-09 14:17:58 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:17:22 UTC

Description Avinash Hanwate 2023-04-19 05:37:48 UTC
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.


https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a

Comment 1 Avinash Hanwate 2023-04-19 05:59:35 UTC
Created python-sqlparse tracking bugs for this issue:

Affects: epel-all [bug 2187907]
Affects: fedora-all [bug 2187906]
Affects: openstack-rdo [bug 2187911]

Comment 8 errata-xmlrpc 2023-08-09 14:17:55 UTC
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:4591 https://access.redhat.com/errata/RHSA-2023:4591

Comment 9 Product Security DevOps Team 2023-08-09 19:11:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-30608

Comment 10 errata-xmlrpc 2023-11-08 14:17:19 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818


Note You need to log in before you can comment on or make changes to this bug.