Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-4tca-fufm-qydy

Summary A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.

Aliases

alias	CVE-2016-8640

alias	GHSA-hg4c-rgvm-964g

alias	PYSEC-2018-98

Fixed_packages

url	pkg:pypi/pycsw@1.10.5
purl	pkg:pypi/pycsw@1.10.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.5

url	pkg:pypi/pycsw@1.8.6
purl	pkg:pypi/pycsw@1.8.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.6

url	pkg:pypi/pycsw@2.0.2
purl	pkg:pypi/pycsw@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@2.0.2

Affected_packages

url pkg:pypi/pycsw@1.10.0

purl pkg:pypi/pycsw@1.10.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.0

url pkg:pypi/pycsw@1.10.1

purl pkg:pypi/pycsw@1.10.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.1

url pkg:pypi/pycsw@1.10.2

purl pkg:pypi/pycsw@1.10.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.2

url pkg:pypi/pycsw@1.10.3

purl pkg:pypi/pycsw@1.10.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.3

url pkg:pypi/pycsw@1.10.4

purl pkg:pypi/pycsw@1.10.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.10.4

url pkg:pypi/pycsw@1.4.0

purl pkg:pypi/pycsw@1.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.4.0

url pkg:pypi/pycsw@1.4.1

purl pkg:pypi/pycsw@1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.4.1

url pkg:pypi/pycsw@1.4.2

purl pkg:pypi/pycsw@1.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.4.2

url pkg:pypi/pycsw@1.6.0

purl pkg:pypi/pycsw@1.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.6.0

url pkg:pypi/pycsw@1.6.1

purl pkg:pypi/pycsw@1.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.6.1

url pkg:pypi/pycsw@1.6.2

purl pkg:pypi/pycsw@1.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.6.2

url pkg:pypi/pycsw@1.6.3

purl pkg:pypi/pycsw@1.6.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.6.3

url pkg:pypi/pycsw@1.6.4

purl pkg:pypi/pycsw@1.6.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.6.4

url pkg:pypi/pycsw@1.8.0

purl pkg:pypi/pycsw@1.8.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.0

url pkg:pypi/pycsw@1.8.1

purl pkg:pypi/pycsw@1.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.1

url pkg:pypi/pycsw@1.8.2

purl pkg:pypi/pycsw@1.8.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.2

url pkg:pypi/pycsw@1.8.3

purl pkg:pypi/pycsw@1.8.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.3

url pkg:pypi/pycsw@1.8.4

purl pkg:pypi/pycsw@1.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.4

url pkg:pypi/pycsw@1.8.5

purl pkg:pypi/pycsw@1.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@1.8.5

url pkg:pypi/pycsw@2.0.0

purl pkg:pypi/pycsw@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@2.0.0

url pkg:pypi/pycsw@2.0.1

purl pkg:pypi/pycsw@2.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tca-fufm-qydy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycsw@2.0.1

References

reference_url	http://seclists.org/oss-sec/2016/q4/406
reference_id
reference_type
scores
url	http://seclists.org/oss-sec/2016/q4/406

reference_url	https://github.com/advisories/GHSA-hg4c-rgvm-964g
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-hg4c-rgvm-964g

reference_url	https://github.com/geopython/pycsw
reference_id
reference_type
scores
url	https://github.com/geopython/pycsw

reference_url	https://github.com/geopython/pycsw/commit/522873e5ce48bb9cbd4e7e8168ca881ce709c222
reference_id
reference_type
scores
url	https://github.com/geopython/pycsw/commit/522873e5ce48bb9cbd4e7e8168ca881ce709c222

reference_url	https://github.com/geopython/pycsw/commit/69546e13527c82e4f9191769215490381ad511b2
reference_id
reference_type
scores
url	https://github.com/geopython/pycsw/commit/69546e13527c82e4f9191769215490381ad511b2

reference_url	https://github.com/geopython/pycsw/commit/daaf09b4b920708a415be3c7f446739661ba3753
reference_id
reference_type
scores
url	https://github.com/geopython/pycsw/commit/daaf09b4b920708a415be3c7f446739661ba3753

reference_url	https://github.com/geopython/pycsw/pull/474/files
reference_id
reference_type
scores
url	https://github.com/geopython/pycsw/pull/474/files

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pycsw/PYSEC-2018-98.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pycsw/PYSEC-2018-98.yaml

reference_url	https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch
reference_id
reference_type
scores
url	https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch

reference_url	http://www.securityfocus.com/bid/94302
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/94302

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-8640
reference_id	CVE-2016-8640
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-8640

Weaknesses

cwe_id	89
name	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
description	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4tca-fufm-qydy

Vulnerability Instance