GHSA-xv6x-43gq-4hfj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xv6x-43gq-4hfj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xv6x-43gq-4hfj
- Aliases
- Published
- 2022-05-02T03:40:08Z
- Modified
- 2024-12-04T05:39:23.265047Z
- Summary
- PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection
- Details
-
PyGreSQL 3.8 did not use PostgreSQL’s safe
stringandbyteafunctions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility,pg.escape_string()andpg.escape_bytea()are still available, but applications will have to be adjusted to use the newpyobj.escape_string()andpyobj.escape_bytea()functions. For example, code containing:import pg connection = pg.connect(...) escaped = pg.escape_string(untrusted_input)should be adjusted to use:
import pg connection = pg.connect(...) escaped = connection.escape_string(untrusted_input) - Database specific
{ "nvd_published_at": "2009-10-22T16:30:00Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-08T21:31:52Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2009-2940
- https://github.com/PyGreSQL/PyGreSQL/commit/8e19320b130946eed6f043297e3e4e005a523612
- https://github.com/PyGreSQL/PyGreSQL/commit/f7237d773e6f4d5a7da3d99bb6bc5062bd07935e
- https://github.com/PyGreSQL/PyGreSQL
- http://ubuntu.com/usn/usn-870-1
- http://www.debian.org/security/2009/dsa-1911
Affected packages
PyPI / pygresql
Package
- Name
- pygresql
- View open source insights on deps.dev
- Purl
- pkg:pypi/pygresql
PyPI / pygresql
Package
- Name
- pygresql
- View open source insights on deps.dev
- Purl
- pkg:pypi/pygresql