PyPi: Pymysql

CVE-2024-36039

Safety vulnerability ID: 71083

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 21, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

PyMySQL 1.1.1 addresses CVE-2024-36039, a critical SQL injection vulnerability present in versions up to 1.1.0. This vulnerability occurs when the library is used with untrusted JSON input because keys are not properly escaped by escape_dict, allowing attackers to inject malicious SQL queries.

Affected package

pymysql

Latest version: 1.1.1

Pure Python MySQL Driver

Affected versions

Fixed versions

Vulnerability changelog

Release date: 2024-05-21

> [!WARNING]
> This release fixes a vulnerability (CVE-2024-36039).
> All users are recommended to update to this version.
>
> If you can not update soon, check the input value from
> untrusted source has an expected type. Only dict input
> from untrusted source can be an attack vector.

* Prohibit dict parameter for `Cursor.execute()`. It didn't produce valid SQL
and might cause SQL injection. (CVE-2024-36039)
* Added ssl_key_password param. 1145

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application