7.5

CVSS Score

Basic Information

CVE ID

CVE-2009-2940

GHSA ID

GHSA-xv6x-43gq-4hfj

EPSS Score

0.71831%

CWE

CWE-89

Published

5/2/2022

Updated

2/8/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2009-2940

CVE-2009-2940: PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection

PyGreSQL 3.8 did not use PostgreSQL’s safe string and bytea functions in its own escaping functions. As a result, applications written to use PyGreSQL’s escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, pg.escape_string() and pg.escape_bytea() are still available, but applications will have to be adjusted to use the new pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code containing:

import pg
connection = pg.connect(...)
escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

import pg
connection = pg.connect(...)
escaped = connection.escape_string(untrusted_input)

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2009-2940

GHSA ID

GHSA-xv6x-43gq-4hfj

EPSS Score

0.71831%

CWE

CWE-89

Published

5/2/2022

Updated

2/8/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
PyGreSQL	pip	<= 3.8.1
PyGreSQL	pip	= 4.0	4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because PyGreSQL's module-level escaping functions (pg.escape_string and pg.escape_bytea) did not use PostgreSQL's connection-aware escaping functions (PQescapeStringConn/PQescapeByteaConn). The commit diff shows these functions were replaced with connection-dependent methods (e.g., connection.escape_string), and the documentation explicitly warns that the module-level functions lack connection-specific safety checks. The CVE and advisory confirm that these functions are unsafe for multi-byte encodings, making them the root cause of the SQL injection vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Py*r*SQL *.* *i* not us* Post*r*SQL’s s*** `strin*` *n* `*yt**` *un*tions in its own *s**pin* *un*tions. *s * r*sult, *ppli**tions writt*n to us* Py*r*SQL’s *s**pin* *un*tions *r* vuln*r**l* to SQL inj**tions w**n pro**ssin* **rt*in multi-*yt* ***r**

Reasoning

T** vuln*r**ility *ris*s ****us* Py*r*SQL's mo*ul*-l*v*l *s**pin* *un*tions (p*.*s**p*_strin* *n* p*.*s**p*_*yt**) *i* not us* Post*r*SQL's *onn**tion-*w*r* *s**pin* *un*tions (PQ*s**p*Strin**onn/PQ*s**p**yt***onn). T** *ommit *i** s*ows t**s* *un*ti

7.5

Basic Information

Concerned about an active attack path?

CVE-2009-2940: PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI