Skip to content

PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection

High severity GitHub Reviewed Published May 2, 2022 to the GitHub Advisory Database • Updated Feb 8, 2024

Package

pip PyGreSQL (pip)

Affected versions

<= 3.8.1
= 4.0

Patched versions

4.1

Description

PyGreSQL 3.8 did not use PostgreSQL’s safe string and bytea functions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, pg.escape_string() and pg.escape_bytea() are still available, but applications will have to be adjusted to use the new pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code containing:

import pg
connection = pg.connect(...)
escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

import pg
connection = pg.connect(...)
escaped = connection.escape_string(untrusted_input)

References

Published by the National Vulnerability Database Oct 22, 2009
Published to the GitHub Advisory Database May 2, 2022
Reviewed Feb 8, 2024
Last updated Feb 8, 2024

Severity

High

EPSS score

1.121%
(84th percentile)

Weaknesses

CVE ID

CVE-2009-2940

GHSA ID

GHSA-xv6x-43gq-4hfj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.