CVE-2024-36039

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
mitreCNA
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Debian logo
Debian Releases
Debian Product
Codename
python-pymysql
bullseye (security)
0.9.3-2+deb11u1
fixed
bullseye
0.9.3-2+deb11u1
fixed
bookworm
1.0.2-2+deb12u1
fixed
bookworm (security)
1.0.2-2+deb12u1
fixed
sid
1.1.1-2
fixed
trixie
1.1.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pymysql
plucky
Fixed 1.1.1-1ubuntu1
released
oracular
Fixed 1.1.1-1ubuntu1
released
noble
Fixed 1.0.2-2ubuntu1.1
released
mantic
Fixed 1.0.2-1ubuntu1.23.10.1
released
jammy
Fixed 1.0.2-1ubuntu1.22.04.1
released
focal
Fixed 0.9.3-2ubuntu3.1
released
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/
https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/