CVE-2023-30608

2023-04-1822:15:08

Debian Security Bug Tracker

security-tracker.debian.org

cve-2023-30608

python

redos

vulnerability

sqlparse

denial of service

upgrade

unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

42.2%

JSON

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f. Users are advised to upgrade. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allsqlparse<= 0.4.2-1sqlparse_0.4.2-1_all.deb
Debian11allsqlparse<= 0.4.1-1sqlparse_0.4.1-1_all.deb
Debian999allsqlparse< 0.4.4-1sqlparse_0.4.4-1_all.deb
Debian13allsqlparse< 0.4.4-1sqlparse_0.4.4-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	sqlparse	<= 0.4.2-1	sqlparse_0.4.2-1_all.deb
Debian	11	all	sqlparse	<= 0.4.1-1	sqlparse_0.4.1-1_all.deb
Debian	999	all	sqlparse	< 0.4.4-1	sqlparse_0.4.4-1_all.deb
Debian	13	all	sqlparse	< 0.4.4-1	sqlparse_0.4.4-1_all.deb