2278038 – (CVE-2024-4340) CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service

Bug 2278038 (CVE-2024-4340) - CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service

Summary: CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service

Keywords:
Status:	NEW
Alias:	CVE-2024-4340
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2278039 2278040 2278041 2278042 2278043 2278044 2308358
Blocks:	2278037
TreeView+	depends on / blocked

Reported:	2024-04-30 21:33 UTC by Robb Gatica
Modified:	2025-04-01 08:28 UTC (History)
CC List:	51 users (show)
Fixed In Version:	sqlparse 0.5.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:3781	None	None	None	2024-06-10 18:37:58 UTC
Red Hat Product Errata	RHSA-2024:9984	None	None	None	2024-11-21 09:32:45 UTC
Red Hat Product Errata	RHSA-2024:9986	None	None	None	2024-11-21 09:27:47 UTC
Red Hat Product Errata	RHSA-2025:1335	None	None	None	2025-02-12 00:09:18 UTC

Description Robb Gatica 2024-04-30 21:33:13 UTC

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

https://github.com/advisories/GHSA-2m57-hf25-phgg
https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/

Comment 1 Robb Gatica 2024-04-30 21:36:39 UTC

Created python-sqlparse tracking bugs for this issue:

Affects: epel-all [bug 2278039]
Affects: fedora-all [bug 2278040]

Comment 6 errata-xmlrpc 2024-06-10 18:37:53 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781

Comment 7 errata-xmlrpc 2024-11-21 09:27:44 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:9986 https://access.redhat.com/errata/RHSA-2024:9986

Comment 8 errata-xmlrpc 2024-11-21 09:32:42 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:9984 https://access.redhat.com/errata/RHSA-2024:9984

Comment 9 errata-xmlrpc 2025-02-12 00:09:14 UTC

This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335

Note You need to log in before you can comment on or make changes to this bug.

adudiak
apevec
bbuckingham
bcourt
caswilli
davidn
dfreiber
drow
eglynn
ehelms
epacific
gtanzill
jburrell
jcammara
jhardy
jjoyce
jmitchel
jneedle
jobarker
jschluet
jsherril
jtanner
kaycoth
kholdawa
kshier
lhh
lsvaty
lzap
mabashia
mburns
mgarciac
mhulan
mminar
nmoumoul
omaciel
orabin
pcreech
pgrist
rbiba
rbobbitt
rchan
rhos-maint
sidakwo
simaishi
smcdonal
sskracic
stcannon
teagle
vkumar
yguenane
zsadeh