CVE-2021-32839— sqlparse 资源管理错误漏洞

Regular Expression Denial of Service in sqlparse

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

sqlparse 资源管理错误漏洞

sqlparse是 Python 的非验证 SQL 解析器。它提供对 SQL 语句的解析、拆分和格式化的支持。 sqlparse 0.4.0 和 0.4.1 版本中存在资源管理错误漏洞，该漏洞允许攻击者进行ReDoS（正则表达式拒绝服务）的攻击。

N/A

N/A