7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
38.2%
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of ‘\r\n’ in SQL comments.
The issues has been fixed in sqlparse 0.4.2.
Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don’t use the sqlformat.format
function with keyword strip_comments=True
or the --strip-comments
command line flag when using the sqlformat
command line tool.
This issue was discovered by GitHub team members @erik-krogh and @yoff. It was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on python-sqlparse by following this link.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-p5w8-wqhj-9hhf
github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb
github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
github.com/pypa/advisory-database/tree/main/vulns/sqlparse/PYSEC-2021-333.yaml
nvd.nist.gov/vuln/detail/CVE-2021-32839
securitylab.github.com/advisories/GHSL-2021-107-andialbrecht-sqlparse/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
38.2%