CVE-2009-2940: PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection
(updated )
PyGreSQL 3.8 did not use PostgreSQL’s safe string and bytea functions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, pg.escape_string() and pg.escape_bytea() are still available, but applications will have to be adjusted to use the new pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code containing:
import pg
connection = pg.connect(...)
escaped = pg.escape_string(untrusted_input)
should be adjusted to use:
import pg
connection = pg.connect(...)
escaped = connection.escape_string(untrusted_input)
References
- github.com/PyGreSQL/PyGreSQL/commit/8e19320b130946eed6f043297e3e4e005a523612
- github.com/PyGreSQL/PyGreSQL/commit/f7237d773e6f4d5a7da3d99bb6bc5062bd07935e
- github.com/advisories/GHSA-xv6x-43gq-4hfj
- github.com/pypa/advisory-database/tree/main/vulns/pygresql/PYSEC-2009-18.yaml
- nvd.nist.gov/vuln/detail/CVE-2009-2940
Code Behaviors & Features
Detect and mitigate CVE-2009-2940 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →