Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-36039

Опубликовано: 21 мая 2024
Источник: redhat
CVSS3: 6.3
EPSS Низкий

Описание

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

A flaw was found in PyMySQL. When processing untrusted JSON input, keys are not escaped by the escape_dict function due to insufficient input sanitization, allowing an attacker to inject malicious SQL queries.

Отчет

Applications not exposed to untrusted JSON input are not vulnerable to this issue. Additionally, exploitation of this vulnerability depends on the permissions granted to the database user, limiting the security impact. For this reason, this flaw was rated with a Moderate severity.

Меры по смягчению последствий

Make sure the permissions are set correctly for each user, database, table, operation, etc. Do not expose the PyMySQL library to untrusted JSON input.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10python-PyMySQLNot affected
Red Hat Enterprise Linux 8python27:2.7/python-PyMySQLWill not fix
Red Hat Enterprise Linux 8python36:3.6/python-PyMySQLWill not fix
Red Hat Enterprise Linux 8python39:3.9/python-PyMySQLWill not fix
Red Hat Enterprise Linux 9python-PyMySQLWill not fix
Red Hat Quay 3quay/quay-rhel8Affected
Red Hat Software Collectionsrh-python38-python-PyMySQLWill not fix
Red Hat Enterprise Linux 8python3.11-PyMySQLFixedRHSA-2024:424402.07.2024
Red Hat Enterprise Linux 8python3.12-PyMySQLFixedRHSA-2024:424502.07.2024
Red Hat Enterprise Linux 9python3.12-PyMySQLFixedRHSA-2024:919312.11.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=2282821python-pymysql: SQL injection if used with untrusted JSON input

EPSS

Процентиль: 20%
0.00062
Низкий

6.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-36039

CVSS3: 6.3
ubuntu
около 1 года назад

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

nvd логотип

CVE-2024-36039

CVSS3: 6.3
nvd
около 1 года назад

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

msrc логотип

CVE-2024-36039

CVSS3: 6.3
msrc
3 месяца назад

Описание отсутствует

debian логотип

CVE-2024-36039

CVSS3: 6.3
debian
около 1 года назад

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...

suse-cvrf логотип

SUSE-SU-2024:1925-1

suse-cvrf
около 1 года назад

Security update for python-PyMySQL

EPSS

Процентиль: 20%
0.00062
Низкий

6.3 Medium

CVSS3