CVE-2024-4340

NameCVE-2024-4340
DescriptionPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4000-1
Debian Bugs1070148

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sqlparse (PTS)bullseye0.4.1-1vulnerable
bullseye (security)0.4.1-1+deb11u1fixed
bookworm0.4.2-1vulnerable
sid, trixie0.5.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sqlparsesourcebullseye0.4.1-1+deb11u1DLA-4000-1
sqlparsesource(unstable)0.5.0-11070148

Notes

[bookworm] - sqlparse <no-dsa> (Minor issue)
[buster] - sqlparse <postponed> (Minor issue)
Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0)
https://github.com/advisories/GHSA-2m57-hf25-phgg
Search for package or bug name: Reporting problems