cbcvebase.
CVE-2023-30608
published 2023-04-18

CVE-2023-30608: sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS…

PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.98%
57.8th percentile
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

9 ranges
VendorProductVersion rangeFixed in
andialbrechtsqlparse
debiandebian_linux
debiansqlparse< sqlparse 0.4.2-1+deb12u1 (bookworm)sqlparse 0.4.2-1+deb12u1 (bookworm)
sqlparse_projectsqlparse>= 0 < 0.4.1-1+deb11u10.4.1-1+deb11u1
sqlparse_projectsqlparse>= 0 < 0.4.2-1+deb12u10.4.2-1+deb12u1
sqlparse_projectsqlparse>= 0 < 0.4.4-10.4.4-1
sqlparse_projectsqlparse>= 0 < 0.4.4-10.4.4-1
sqlparse_projectsqlparse>= 0.1.15 < 0.4.40.4.4
sqlparse_projectsqlparse>= 0.1.15 < 0.4.40.4.4

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.