网安资讯详情 - SecLens 情报雷达

网安资讯,一网打尽。汇集权威漏洞通告与行业要闻,结合分组浏览、智能过滤、RSS订阅 和 Webhook 推送,多通道拓展您的安全情报视野。

pip/sqlfluff: SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

来源: github_advisory · 发布时间 2026-05-20 04:10 (UTC+08:00) · 抓取时间 2026-05-20 09:45 (UTC+08:00)

原文链接

摘要

Severity: HIGH | CVSS: 7.5 | CVE: CVE-2026-46374 | Package: pip/sqlfluff | Affected: < 4.2.0 | Patched: 4.2.0

正文

### Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. ### Patches Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit. ### Credit Ori Nakar from Imperva Threat Research Team.

标签

扩展字段

{
  "cve_id": "CVE-2026-46374",
  "cvss_score": 7.5,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "cwe_ids": [
    "CWE-400"
  ],
  "cwe_names": [
    "Uncontrolled Resource Consumption"
  ],
  "ghsa_id": "GHSA-73jc-5mrq-prw7",
  "package": {
    "ecosystem": "pip",
    "name": "sqlfluff",
    "patched_version": "4.2.0",
    "vulnerable_range": "< 4.2.0"
  },
  "references": [
    "https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7",
    "https://github.com/advisories/GHSA-73jc-5mrq-prw7"
  ],
  "source_code_location": "https://github.com/sqlfluff/sqlfluff",
  "updated_at": "2026-05-19T20:10:54Z"
}