Sql injection

2018-08-0118:29:00

PRIOn knowledge base

www.prio-n.com

7.9 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.8%

JSON

A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.

CPENameOperatorVersion
pycswge2.0.0
pycswlt2.0.2
pycswlt1.8.6
pycswge1.10.0
pycswlt1.10.5

Name	Operator	Version
pycsw	ge	2.0.0
pycsw	lt	2.0.2
pycsw	lt	1.8.6
pycsw	ge	1.10.0
pycsw	lt	1.10.5

References

seclists.org/oss-sec/2016/q4/406

www.securityfocus.com/bid/94302

github.com/geopython/pycsw/pull/474/files

patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch