CVE-2023-30608
published 2023-04-18CVE-2023-30608: sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.98%
57.8th percentile
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| andialbrecht | sqlparse | — | — |
| debian | debian_linux | — | — |
| debian | sqlparse | < sqlparse 0.4.2-1+deb12u1 (bookworm) | sqlparse 0.4.2-1+deb12u1 (bookworm) |
| sqlparse_project | sqlparse | >= 0 < 0.4.1-1+deb11u1 | 0.4.1-1+deb11u1 |
| sqlparse_project | sqlparse | >= 0 < 0.4.2-1+deb12u1 | 0.4.2-1+deb12u1 |
| sqlparse_project | sqlparse | >= 0 < 0.4.4-1 | 0.4.4-1 |
| sqlparse_project | sqlparse | >= 0 < 0.4.4-1 | 0.4.4-1 |
| sqlparse_project | sqlparse | >= 0.1.15 < 0.4.4 | 0.4.4 |
| sqlparse_project | sqlparse | >= 0.1.15 < 0.4.4 | 0.4.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
ghsa·2023-04-21
CVE-2023-30608 [MEDIUM] CWE-1333 sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
### Impact
The SQL parser contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).
### Patches
This issues has been fixed in sqlparse 0.4.4.
### Workarounds
None.
### References
This issue was discovered and reported by GHSL team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh).
- Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a
OSV
sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
osv·2023-04-21
CVE-2023-30608 [MEDIUM] sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service
### Impact
The SQL parser contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).
### Patches
This issues has been fixed in sqlparse 0.4.4.
### Workarounds
None.
### References
This issue was discovered and reported by GHSL team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh).
- Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a
OSV
CVE-2023-30608: sqlparse is a non-validating SQL parser module for Python
osv·2023-04-18·CVSS 7.5
CVE-2023-30608 [HIGH] CVE-2023-30608: sqlparse is a non-validating SQL parser module for Python
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Ubuntu
SQL parse vulnerability
vendor_ubuntu·2023-05-10
CVE-2023-30608 SQL parse vulnerability
Title: SQL parse vulnerability
Summary: SQL parse could be made to denial of service if it received
a specially crafted regular expression.
It was discovered that SQL parse incorrectly handled certain regular expression.
An attacker could possibly use this issue to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
vendor_redhat·2023-04-19·CVSS 5.5
CVE-2023-30608 [MEDIUM] CWE-1333 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS).
Package: python-sqlparse (Red Hat Ansible Automat
Debian
CVE-2023-30608: sqlparse - sqlparse is a non-validating SQL parser module for Python. In affected versions ...
vendor_debian·2023·CVSS 5.5
CVE-2023-30608 [MEDIUM] CVE-2023-30608: sqlparse - sqlparse is a non-validating SQL parser module for Python. In affected versions ...
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Scope: local
bookworm: resolved (fixed in 0.4.2-1+deb12u1)
bullseye: resolved (fixed in 0.4.1-1+deb11u1)
forky: resolved (fixed in 0.4.4-1)
sid: resolved (fixed in 0.4.4-1)
trixie: resolved (fixed in 0.4.4-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfbhttps://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85ahttps://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2https://lists.debian.org/debian-lts-announce/2023/05/msg00017.htmlhttps://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoShttps://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfbhttps://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85ahttps://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2https://lists.debian.org/debian-lts-announce/2023/05/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2024/12/msg00022.htmlhttps://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
2023-04-18
Published