{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36039", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-21T15:27:54.677Z", "dateReserved": "2024-05-18T00:00:00", "datePublished": "2024-05-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-24T07:05:59.955597"}, "descriptions": [{"lang": "en", "value": "PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1"}, {"name": "[debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html"}, {"name": "FEDORA-2024-e7141ab284", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/"}, {"name": "FEDORA-2024-b26f07d27b", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T15:05:27.823630Z", "id": "CVE-2024-36039", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T15:27:54.677Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.524Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html"}, {"name": "FEDORA-2024-e7141ab284", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/"}, {"name": "FEDORA-2024-b26f07d27b", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html", "name": "[debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/", "name": "FEDORA-2024-e7141ab284", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/", "name": "FEDORA-2024-b26f07d27b", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.524Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T15:05:27.823630Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:05:32.678Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html", "name": "[debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/", "name": "FEDORA-2024-e7141ab284", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/", "name": "FEDORA-2024-b26f07d27b", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-24T07:05:59.955597"}}}, "cveMetadata": {"cveId": "CVE-2024-36039", "state": "PUBLISHED", "dateUpdated": "2024-11-21T15:27:54.677Z", "dateReserved": "2024-05-18T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-21T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict."}, {"lang": "es", "value": " PyMySQL hasta 1.1.0 permite la inyecci\u00f3n de SQL si se usa con entradas JSON que no son de confianza porque escape_dict no escapa las claves."}], "id": "CVE-2024-36039", "lastModified": "2024-11-21T16:15:24.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-21T16:15:26.293", "references": [{"source": "cve@mitre.org", "url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:4244", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.11-PyMySQL-0:1.0.2-2.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4245", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.12-PyMySQL-0:1.1.0-3.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:9193", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.12-PyMySQL-0:1.1.0-3.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9194", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.11-PyMySQL-0:1.0.2-2.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "python-pymysql: SQL injection if used with untrusted JSON input", "id": "2282821", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282821"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-89", "details": ["PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.", "A flaw was found in PyMySQL. When processing untrusted JSON input, keys are not escaped by the escape_dict function due to insufficient input sanitization, allowing an attacker to inject malicious SQL queries."], "mitigation": {"lang": "en:us", "value": "Make sure the permissions are set correctly for each user, database, table, operation, etc. Do not expose the PyMySQL library to untrusted JSON input."}, "name": "CVE-2024-36039", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "python-PyMySQL", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python27:2.7/python-PyMySQL", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python36:3.6/python-PyMySQL", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python39:3.9/python-PyMySQL", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "python-PyMySQL", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python38-python-PyMySQL", "product_name": "Red Hat Software Collections"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36039\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36039"], "statement": "Applications not exposed to untrusted JSON input are not vulnerable to this issue. Additionally, exploitation of this vulnerability depends on the permissions granted to the database user, limiting the security impact. For this reason, this flaw was rated with a Moderate severity.", "threat_severity": "Moderate"}