oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2016-8640 pycsw SQL injection issue

From: Angelos Tzotsos <gcpp.kalxas () gmail com>
Date: Fri, 11 Nov 2016 20:45:22 +0200
Hi,
Some days ago, the pycsw team received a security notice from the company Koordinates (thank you) regarding an SQL injection vulnerability in pycsw. An exploit of this vulnerability was demonstrated, which is able to read and extract any data from any table in the pycsw database that the database user has access to. On PostgreSQL (at least) it is possible to perform updates/inserts/deletes, and database modifications to any table the database user has access to.
The vulnerability affects all previously released pycsw versions except 2.0.2, 1.10.5 and 1.8.6 (those have been released after fixing this security issue). 

The security patch can be seen in this git commit:
https://github.com/geopython/pycsw/pull/474/files
https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch
The CVE ID assigned is CVE-2016-8640. Many thanks to the Koordinates team for picking this issue up and to RedHat security team for their help with the CVE. 

Best regards,
Angelos


--
Angelos Tzotsos, PhD
OSGeo Charter Member
http://users.ntua.gr/tzotsos
Previous By Date Next
Previous By Thread Next

Current thread: