CVE-2023-30608

Name	CVE-2023-30608
Description	sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3425-1, ELA-871-1
Debian Bugs	1034615

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sqlparse (PTS)	jessie	0.1.13-2	fixed
	stretch (lts), stretch	0.2.2-1+deb9u1	fixed
	buster (security), buster, buster (lts)	0.2.4-1+deb10u1	fixed
	bullseye	0.4.1-1	vulnerable
	bookworm	0.4.2-1	vulnerable
	sid, trixie	0.5.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
sqlparse	source	jessie	(not affected)
sqlparse	source	stretch	0.2.2-1+deb9u1	ELA-871-1
sqlparse	source	buster	0.2.4-1+deb10u1	DLA-3425-1
sqlparse	source	(unstable)	0.4.4-1		1034615

Notes

[bookworm] - sqlparse <no-dsa> (Minor issue)
[bullseye] - sqlparse <no-dsa> (Minor issue)
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
Introduced by: https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a (0.1.15)
Fixed by: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb (0.4.4)
[jessie] - sqlparse <not-affected> (Vulnerable code introduced later)