Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:High] Sqlparse (Due 05/17/24) #6207

Closed
1 task
tmpayton opened this issue Apr 17, 2024 · 1 comment
Closed
1 task

[Snyk:High] Sqlparse (Due 05/17/24) #6207

tmpayton opened this issue Apr 17, 2024 · 1 comment
Assignees
@cnlucas
Labels
Security: high Remediate within 30 days
Milestone
24.i

Comments

@tmpayton
Copy link
Contributor

Introduced through
django@3.2.25, django-storages@1.14.2 and others

Fixed in
sqlparse@0.5.0

Exploit maturity
PROOF OF CONCEPT

Detailed paths and remediation
Introduced through: project@0.0.0 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0
Introduced through: project@0.0.0 › django-storages@1.14.2 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@4.4 › django-appconf@1.0.6 › django@3.2.25 › sqlparse@0.4.4

Fix: Pin sqlparse to version 0.5.0
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.5 - High Severity

NVD: NVD only publishes analysis of vulnerabilities which are assigned a CVE ID. This vulnerability currently does not have an assigned CVE ID.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Uncontrolled Recursion due to the parsing of heavily nested lists. An attacker can cause the application to crash by submitting a specially crafted list that triggers a RecursionError.

Note: The impact depends on the use, so anyone parsing a user input with sqlparse.parse() is affected.

Completion Criteria

  • upgrade sqlparse v0.5.0
@tmpayton tmpayton added the Security: high Remediate within 30 days label Apr 17, 2024
@tmpayton tmpayton added this to the 24.i milestone Apr 17, 2024
@tmpayton tmpayton changed the title [Snyk High] Sqlparse (Due 05/17/24) [Snyk:High] Sqlparse (Due 05/17/24) Apr 17, 2024
@tmpayton tmpayton mentioned this issue Apr 17, 2024
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Apr 24, 2024
Closed
2 tasks
This was referenced May 1, 2024
Closed
Closed
@cnlucas cnlucas mentioned this issue May 9, 2024
Closed
@pkfec
Copy link
Contributor

pkfec commented May 15, 2024

Django v3.2.25, on SNYK dashboard mentioned in this ticket is outdated. As of today,fec-cms is running on Django 4.2.10. Latest Develop and Master builds show that Django pulls latest sqlparser 0.5.0.

Closing this issue as this vulnerability no longer shows on the SNYK CLI

@pkfec pkfec closed this as completed May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: high Remediate within 30 days
Projects
Website project
Status: ✅ Done
Milestone
24.i
Development

Successfully merging a pull request may close this issue.

6207-pin sqlparse to remove snyk vulnerability fecgov/fec-cms
3 participants
@pkfec @cnlucas @tmpayton