Bugzilla – Bug 1223603
VUL-0: CVE-2024-4340: python-sqlparse,python3-sqlparse: processing of heavily nested list leads to RecursionError in sqlparse.parse()
Last modified: 2024-05-23 12:30:03 UTC
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4340 https://www.cve.org/CVERecord?id=CVE-2024-4340 https://github.com/advisories/GHSA-2m57-hf25-phgg https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/
This is an autogenerated message for OBS integration: This bug (1223603) was mentioned in https://build.opensuse.org/request/show/1172288 Factory / python-sqlparse
Sorry about that, I've done so.
SUSE-SU-2024:1767-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1223603 CVE References: CVE-2024-4340 Maintenance Incident: [SUSE:Maintenance:33866](https://smelt.suse.de/incident/33866/) Sources used: openSUSE Leap 15.4 (src): python-sqlparse-0.4.4-150400.6.7.1 openSUSE Leap 15.5 (src): python-sqlparse-0.4.4-150400.6.7.1 Public Cloud Module 15-SP4 (src): python-sqlparse-0.4.4-150400.6.7.1 Public Cloud Module 15-SP5 (src): python-sqlparse-0.4.4-150400.6.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.