oss-sec mailing list archives
CVE-2016-8640 pycsw SQL injection issue
From: Angelos Tzotsos <gcpp.kalxas () gmail com>
Date: Fri, 11 Nov 2016 20:45:22 +0200
Hi,Some days ago, the pycsw team received a security notice from the company Koordinates (thank you) regarding an SQL injection vulnerability in pycsw. An exploit of this vulnerability was demonstrated, which is able to read and extract any data from any table in the pycsw database that the database user has access to. On PostgreSQL (at least) it is possible to perform updates/inserts/deletes, and database modifications to any table the database user has access to.
The vulnerability affects all previously released pycsw versions except 2.0.2, 1.10.5 and 1.8.6 (those have been released after fixing this security issue).
The security patch can be seen in this git commit: https://github.com/geopython/pycsw/pull/474/files https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patchThe CVE ID assigned is CVE-2016-8640. Many thanks to the Koordinates team for picking this issue up and to RedHat security team for their help with the CVE.
Best regards, Angelos -- Angelos Tzotsos, PhD OSGeo Charter Member http://users.ntua.gr/tzotsos
Current thread:
- CVE-2016-8640 pycsw SQL injection issue Angelos Tzotsos (Nov 11)