sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of rn in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround dont use the sqlformat.format function with keyword strip_comments=True or the –strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sqlparse | Sqlparse_project | 0.4.0 (including) | 0.4.2 (excluding) |
| Red Hat Satellite 6.11 for RHEL 8 | RedHat | python-sqlparse-0:0.4.2-2.el8pc | * |
| Red Hat Satellite 6.11 for RHEL 8 | RedHat | python-sqlparse-0:0.4.2-2.el8pc | * |
| Sqlparse | Ubuntu | devel | * |
| Sqlparse | Ubuntu | hirsute | * |
| Sqlparse | Ubuntu | impish | * |
| Sqlparse | Ubuntu | jammy | * |
| Sqlparse | Ubuntu | trusty | * |
| Sqlparse | Ubuntu | upstream | * |
| Sqlparse | Ubuntu | xenial | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.