Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2009-2940
HistoryOct 22, 2009 - 12:00 a.m.

CVE-2009-2940

2009-10-2200:00:00
ubuntu.com
ubuntu.com
5

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

83.9%

JSON

The pygresql module 3.8.1 and 4.0 for Python does not properly support the
PQescapeStringConn function, which might allow remote attackers to leverage
escaping issues involving multibyte character encodings.

Notes

Author Note
jdstrand 1:4.0-0ubuntu1 and higher has the fix affected versions have an escape_string() and escape_bytea() that uses PQescapeString() and PQescapeBytea() from PostgreSQL’s libpq-fe.h. These are known to be problematic. The fix is to create pg_escape_string() and pg_escape_bytea() which use the safe PQescapeStringConn() and PQescapeByteaConn() functions, and then add them to the pgobj methods. Applications will have to be rewritten to use the new functions, specifically, something like this: cnx = pg.connect(…) … escaped = pg.escape_string(str) to be: cnx = pg.connect(…) … escaped = cnx.escape_string(str)
OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchpygresql< 1:3.8.1-2ubuntu0.1UNKNOWN
ubuntu8.10noarchpygresql< 1:3.8.1-3ubuntu0.1UNKNOWN

Related

openvas 3
debian 1
securityvulns 2
github 1
ubuntu 1
nessus 2
prion 1
osv 2
cve 1
debiancve 1
openvas
openvas
Debian Security Advisory DSA 1911-1 (pygresql)
2009-10-19 00:00:00
Debian: Security Advisory (DSA-1911-1)
2009-10-19 00:00:00
Ubuntu: Security Advisory (USN-870-1)
2022-08-26 00:00:00
debian
debian
[SECURITY] [DSA 1911-1] New pygresql packages provide secure escaping
2009-10-15 00:15:26
securityvulns
securityvulns
[SECURITY] [DSA 1911-1] New pygresql packages provide secure escaping
2009-10-15 00:00:00
pygresql / mysql-ocaml / postgresql-ocaml SQL injection
2009-10-15 00:00:00
github
github
PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection
2022-05-02 03:40:08
ubuntu
ubuntu
PyGreSQL vulnerability
2009-12-11 00:00:00
nessus
nessus
Ubuntu 8.04 LTS / 8.10 : pygresql vulnerability (USN-870-1)
2009-12-11 00:00:00
Debian DSA-1911-1 : pygresql - missing escape function
2010-02-24 00:00:00
prion
prion
Code injection
2009-10-22 16:30:00
osv
osv
PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection
2022-05-02 03:40:08
pygresql - missing escape function
2009-10-14 00:00:00
cve
cve
CVE-2009-2940
2009-10-22 16:30:00
debiancve
debiancve
CVE-2009-2940
2009-10-22 16:30:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

83.9%

JSON
Related for UB:CVE-2009-2940
openvas3debian1securityvulns2github1ubuntu1nessus2prion1osv2cve1debiancve1