GitHub Advisory DatabaseGHSA-HG4C-RGVM-964GSQL Injection in pycsw
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
56.8%
A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.
Affected configurations
References
seclists.org/oss-sec/2016/q4/406
www.securityfocus.com/bid/94302
github.com/advisories/GHSA-hg4c-rgvm-964g
github.com/geopython/pycsw/commit/522873e5ce48bb9cbd4e7e8168ca881ce709c222
github.com/geopython/pycsw/commit/69546e13527c82e4f9191769215490381ad511b2
github.com/geopython/pycsw/commit/daaf09b4b920708a415be3c7f446739661ba3753
github.com/geopython/pycsw/pull/474/files
nvd.nist.gov/vuln/detail/CVE-2016-8640
patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
56.8%