CVE-2021-32839 - log back

CVE-2021-32839 edited at 21 Sep 2021 08:44:52
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ In python-sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
+
+ Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool.
References
+ https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
+ https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb
Notes
CVE-2021-32839 created at 21 Sep 2021 08:43:15