OpenCVE

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Ansible Automation Platform

No data.

Package	CPE	Advisory	Released Date
Red Hat Ansible Automation Platform 2.4 for RHEL 8
python3x-sqlparse-0:0.5.0-1.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2024:3781	2024-06-10T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9
python-sqlparse-0:0.5.0-1.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2024:3781	2024-06-10T00:00:00Z

References

Link	Providers
https://github.com/advisories/GHSA-2m57-hf25-phgg
https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
https://nvd.nist.gov/vuln/detail/CVE-2024-4340
https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/
https://www.cve.org/CVERecord?id=CVE-2024-4340

History

No history.

MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2024-04-30T14:23:03.435Z

Updated: 2024-08-01T20:40:46.508Z

Reserved: 2024-04-30T11:12:30.839Z

Link: CVE-2024-4340

Vulnrichment

Updated: 2024-08-01T20:40:46.508Z

NVD

Status : Awaiting Analysis

Published: 2024-04-30T15:15:53.407

Modified: 2024-04-30T17:52:35.057

Link: CVE-2024-4340

Redhat

Severity : Moderate

Publid Date: 2024-04-30T00:00:00Z

Links: CVE-2024-4340 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4340", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2024-04-30T11:12:30.839Z", "datePublished": "2024-04-30T14:23:03.435Z", "dateUpdated": "2024-08-01T20:40:46.508Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.org/project/pip", "packageName": "sqlparse", "versions": [{"lessThan": "0.5.0", "status": "affected", "version": "0", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.</p>"}], "value": "Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "description": "CWE-674 Uncontrolled Recursion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2024-04-30T14:23:03.435Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/"}, {"tags": ["patch"], "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03"}, {"url": "https://github.com/advisories/GHSA-2m57-hf25-phgg"}], "source": {"discovery": "EXTERNAL"}, "title": "Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError."}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4340", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-30T16:07:16.196262Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sqlparse_project:sqlparse:*:*:*:*:*:*:*:*"], "vendor": "sqlparse_project", "product": "sqlparse", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:54:10.848Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:46.508Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03"}, {"url": "https://github.com/advisories/GHSA-2m57-hf25-phgg", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/advisories/GHSA-2m57-hf25-phgg", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:46.508Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4340", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-30T16:07:16.196262Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sqlparse_project:sqlparse:*:*:*:*:*:*:*:*"], "vendor": "sqlparse_project", "product": "sqlparse", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-30T16:08:45.901Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "0.5.0", "versionType": "python"}], "packageName": "sqlparse", "collectionURL": "https://pypi.org/project/pip"}], "references": [{"url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/", "tags": ["third-party-advisory"]}, {"url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03", "tags": ["patch"]}, {"url": "https://github.com/advisories/GHSA-2m57-hf25-phgg"}], "descriptions": [{"lang": "en", "value": "Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674 Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2024-04-30T14:23:03.435Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4340", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:40:46.508Z", "dateReserved": "2024-04-30T11:12:30.839Z", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "datePublished": "2024-04-30T14:23:03.435Z", "assignerShortName": "JFROG"}, "dataVersion": "5.1"}

{"affected_release": [{"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-sqlparse-0:0.5.0-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-sqlparse-0:0.5.0-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}], "bugzilla": {"description": "sqlparse: parsing heavily nested list leads to denial of service", "id": "2278038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278038"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-674", "details": ["Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.", "A flaw was found in sqlparse. This issue occurs in a heavily nested list in sqlparse.parse(), where a recursion error may be triggered, which can lead to a denial of service."], "name": "CVE-2024-4340", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "python-sqlparse", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "python-sqlparse", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "python-sqlparse", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "python-sqlparse", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-sqlparse", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-sqlparse", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-sqlparse", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-04-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-4340\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4340\nhttps://github.com/advisories/GHSA-2m57-hf25-phgg"], "threat_severity": "Moderate", "upstream_fix": "sqlparse 0.5.0"}