CVE-2016-8640

Published: 01 August 2018

A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.

Priority

Medium

CVSS 3 base score: 9.1

Status

Package Release Status
pycsw
Launchpad, Ubuntu, Debian
Upstream
Released (2.0.2+dfsg-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.0.2+dfsg-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.0.2+dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.0.2+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.0.2+dfsg-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist