CVE-2009-2940: PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection

May 2, 2022 (updated February 8, 2024)

The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.

References

ubuntu.com/usn/usn-870-1
www.debian.org/security/2009/dsa-1911
github.com/PyGreSQL/PyGreSQL/commit/8e19320b130946eed6f043297e3e4e005a523612
github.com/PyGreSQL/PyGreSQL/commit/f7237d773e6f4d5a7da3d99bb6bc5062bd07935e
github.com/advisories/GHSA-xv6x-43gq-4hfj
nvd.nist.gov/vuln/detail/CVE-2009-2940

Detect and mitigate CVE-2009-2940 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →