1. 背景
ICASI在推进多供应商协调漏洞披露方面处于领先地位,引入了通用漏洞报告框架(Common Vulnerability Reporting Format,CVRF)标准,制定了统一安全事件响应计划(USIRP)的原则,帮助创建了多方漏洞协调和披露指南和实践,并建立了一个成功协调多供应商应对众多安全事件的行业领导者信托小组。为了继续取得这些成功,并确保全球社会更广泛的参与,ICASI(Industry Consortium for Advancement of Security on the Internet,互联网安全的行业促进联盟)将作为一个独立组织解散,并将其所有资产于2021年5月28日转移给了FIRST(Forum of Incident Response and Security Teams,事件响应和安全团队论坛):
- ICASI成立于2008年,旨在通过推动安全应对实践的卓越和创新来加强全球安全格局,促进成员之间的合作,以分析、缓解和解决多方利益相关者的全球安全挑战。这一角色将继续,但作为现有FIRST PSIRT SIG的一部分,扩展和提高社区应对多个供应商漏洞的能力。
- FIRST成立于1990年,是全球安全事件响应的领导者。
截止目前,CVRF的治理已从ICASI过渡到结构化信息标准促进组织(Organization for the Advancement of Structured Information Standards,OASIS),并将更名为CSAF(通用安全能告框架)。
2. CVRF概览
通用漏洞报告框架(Common Vulnerability Reporting Format,CVRF)是以机器可读形式(XML文件)发布安全通告(Security Advisory,SA)的行业标准格式。安全通告包含漏洞严重等级、业务影响和修补方案等信息,用以传递漏洞修补方案。安全通告(SA)用于发布华为产品直接相关的严重(Critical)和高(High)等级的漏洞信息及修补方案。安全通告(SA)一般都会提供下载通用漏洞报告框架(CVRF)内容的选项,旨在以机器可读格式描述漏洞信息,以支持受影响客户的工具使用。
CVRF样例(CVE-2024-4340)
<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:cvrf="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf" xmlns:cvrf-common="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/common" xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/1.0" xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:ns0="http://purl.org/dc/elements/1.1/" xmlns:prod="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/prod" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/1.0" xmlns:sch="http://purl.oclc.org/dsdl/schematron" xmlns:vuln="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
<DocumentTitle xml:lang="en">CVE-2024-4340</DocumentTitle>
<DocumentType>SUSE CVE</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>security@suse.de</ContactDetails>
<IssuingAuthority>SUSE Security Team</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>SUSE CVE-2024-4340</ID>
</Identification>
<Status>Interim</Status>
<Version>1</Version>
<RevisionHistory>
<Revision>
<Number>2</Number>
<Date>2024-05-01T23:14:09Z</Date>
<Description>current</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2024-04-30T23:14:33Z</InitialReleaseDate>
<CurrentReleaseDate>2024-05-01T23:14:09Z</CurrentReleaseDate>
<Generator>
<Engine>cve-database/bin/generate-cvrf-cve.pl</Engine>
<Date>2020-12-27T01:00:00Z</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="CVE" Type="Summary" Ordinal="1" xml:lang="en">CVE-2024-4340</Note>
<Note Title="Mitre CVE Description" Type="Description" Ordinal="2" xml:lang="en">Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
</Note>
<Note Title="Terms of Use" Type="Legal Disclaimer" Ordinal="4" xml:lang="en">The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.suse.com/support/security/rating/</URL>
<Description>SUSE Security Ratings</Description>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/prod">
<Branch Type="Product Family" Name="HPE Helion OpenStack 8">
<Branch Type="Product Name" Name="HPE Helion OpenStack 8">
<FullProductName ProductID="HPE Helion OpenStack 8" CPE="cpe:/o:suse:hpe-helion-openstack:8">HPE Helion OpenStack 8</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Enterprise Storage 7.1">
<Branch Type="Product Name" Name="SUSE Enterprise Storage 7.1">
<FullProductName ProductID="SUSE Enterprise Storage 7.1" CPE="cpe:/o:suse:ses:7.1">SUSE Enterprise Storage 7.1</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Desktop 15 SP5">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP5" CPE="cpe:/o:suse:sle-module-basesystem:15:sp5">SUSE Linux Enterprise Module for Basesystem 15 SP5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Desktop 15 SP6">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP6" CPE="cpe:/o:suse:sle-module-basesystem:15:sp6">SUSE Linux Enterprise Module for Basesystem 15 SP6</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Python 3 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Python 3 15 SP6" CPE="cpe:/o:suse:sle-module-python3:15:sp6">SUSE Linux Enterprise Module for Python 3 15 SP6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS" CPE="cpe:/o:suse:sle_hpc-ltss:15:sp2">SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS" CPE="cpe:/o:suse:sle_hpc-ltss:15:sp3">SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP4">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS" CPE="cpe:/o:suse:sle_hpc-espos:15:sp4">SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS" CPE="cpe:/o:suse:sle_hpc-ltss:15:sp4">SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP5">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP5" CPE="cpe:/o:suse:sle-module-basesystem:15:sp5">SUSE Linux Enterprise Module for Basesystem 15 SP5</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP5" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp5">SUSE Linux Enterprise Module for Public Cloud 15 SP5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise High Performance Computing 15 SP6">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP6" CPE="cpe:/o:suse:sle-module-basesystem:15:sp6">SUSE Linux Enterprise Module for Basesystem 15 SP6</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Python 3 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Python 3 15 SP6" CPE="cpe:/o:suse:sle-module-python3:15:sp6">SUSE Linux Enterprise Module for Python 3 15 SP6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Module for Package Hub 15 SP5">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Package Hub 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Package Hub 15 SP5" CPE="cpe:/o:suse:packagehub:15:sp5">SUSE Linux Enterprise Module for Package Hub 15 SP5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Module for Package Hub 15 SP6">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Package Hub 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Package Hub 15 SP6" CPE="cpe:/o:suse:packagehub:15:sp6">SUSE Linux Enterprise Module for Package Hub 15 SP6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP1-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server 15 SP1-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP1-LTSS" CPE="cpe:/o:suse:sles-ltss:15:sp1">SUSE Linux Enterprise Server 15 SP1-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP2-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP2-LTSS" CPE="cpe:/o:suse:sles-ltss:15:sp2">SUSE Linux Enterprise Server 15 SP2-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP3-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server 15 SP3-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP3-LTSS" CPE="cpe:/o:suse:sles-ltss:15:sp3">SUSE Linux Enterprise Server 15 SP3-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP4">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP4-LTSS">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server 15 SP4-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP4-LTSS" CPE="cpe:/o:suse:sles-ltss:15:sp4">SUSE Linux Enterprise Server 15 SP4-LTSS</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP5">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP5" CPE="cpe:/o:suse:sle-module-basesystem:15:sp5">SUSE Linux Enterprise Module for Basesystem 15 SP5</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP5" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp5">SUSE Linux Enterprise Module for Public Cloud 15 SP5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server 15 SP6">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP6" CPE="cpe:/o:suse:sle-module-basesystem:15:sp6">SUSE Linux Enterprise Module for Basesystem 15 SP6</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Python 3 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Python 3 15 SP6" CPE="cpe:/o:suse:sle-module-python3:15:sp6">SUSE Linux Enterprise Module for Python 3 15 SP6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP2">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP2">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP2" CPE="cpe:/o:suse:sles_sap:15:sp2">SUSE Linux Enterprise Server for SAP Applications 15 SP2</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP3">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP3">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP3" CPE="cpe:/o:suse:sles_sap:15:sp3">SUSE Linux Enterprise Server for SAP Applications 15 SP3</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP4">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP4" CPE="cpe:/o:suse:sles_sap:15:sp4">SUSE Linux Enterprise Server for SAP Applications 15 SP4</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP5">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP5" CPE="cpe:/o:suse:sle-module-basesystem:15:sp5">SUSE Linux Enterprise Module for Basesystem 15 SP5</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP5" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp5">SUSE Linux Enterprise Module for Public Cloud 15 SP5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Linux Enterprise Server for SAP Applications 15 SP6">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Basesystem 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP6" CPE="cpe:/o:suse:sle-module-basesystem:15:sp6">SUSE Linux Enterprise Module for Basesystem 15 SP6</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Python 3 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Python 3 15 SP6" CPE="cpe:/o:suse:sle-module-python3:15:sp6">SUSE Linux Enterprise Module for Python 3 15 SP6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Manager Proxy 4.3">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Manager Proxy 4.3">
<FullProductName ProductID="SUSE Manager Proxy 4.3" CPE="cpe:/o:suse:suse-manager-proxy:4.3">SUSE Manager Proxy 4.3</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Manager Retail Branch Server 4.3">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Manager Retail Branch Server 4.3">
<FullProductName ProductID="SUSE Manager Retail Branch Server 4.3" CPE="cpe:/o:suse:suse-manager-retail-branch-server:4.3">SUSE Manager Retail Branch Server 4.3</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE Manager Server 4.3">
<Branch Type="Product Name" Name="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4" CPE="cpe:/o:suse:sle-module-public-cloud:15:sp4">SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Branch>
<Branch Type="Product Name" Name="SUSE Manager Server 4.3">
<FullProductName ProductID="SUSE Manager Server 4.3" CPE="cpe:/o:suse:suse-manager-server:4.3">SUSE Manager Server 4.3</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE OpenStack Cloud 8">
<Branch Type="Product Name" Name="SUSE OpenStack Cloud 8">
<FullProductName ProductID="SUSE OpenStack Cloud 8" CPE="cpe:/o:suse:suse-openstack-cloud:8">SUSE OpenStack Cloud 8</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE OpenStack Cloud 9">
<Branch Type="Product Name" Name="SUSE OpenStack Cloud 9">
<FullProductName ProductID="SUSE OpenStack Cloud 9" CPE="cpe:/o:suse:suse-openstack-cloud:9">SUSE OpenStack Cloud 9</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE OpenStack Cloud Crowbar 8">
<Branch Type="Product Name" Name="SUSE OpenStack Cloud Crowbar 8">
<FullProductName ProductID="SUSE OpenStack Cloud Crowbar 8" CPE="cpe:/o:suse:suse-openstack-cloud-crowbar:8">SUSE OpenStack Cloud Crowbar 8</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="SUSE OpenStack Cloud Crowbar 9">
<Branch Type="Product Name" Name="SUSE OpenStack Cloud Crowbar 9">
<FullProductName ProductID="SUSE OpenStack Cloud Crowbar 9" CPE="cpe:/o:suse:suse-openstack-cloud-crowbar:9">SUSE OpenStack Cloud Crowbar 9</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="openSUSE Leap 15.5">
<Branch Type="Product Name" Name="openSUSE Leap 15.5">
<FullProductName ProductID="openSUSE Leap 15.5" CPE="cpe:/o:opensuse:leap:15.5">openSUSE Leap 15.5</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Family" Name="openSUSE Leap 15.6">
<Branch Type="Product Name" Name="openSUSE Leap 15.6">
<FullProductName ProductID="openSUSE Leap 15.6" CPE="cpe:/o:opensuse:leap:15.6">openSUSE Leap 15.6</FullProductName>
</Branch>
</Branch>
<Branch Type="Product Version" Name="python-sqlparse">
<FullProductName ProductID="python-sqlparse" CPE="cpe:2.3:a:sqlparse_project:sqlparse:*:*:*:*:*:*:*:*">python-sqlparse</FullProductName>
</Branch>
<Branch Type="Product Version" Name="python2-sqlparse">
<FullProductName ProductID="python2-sqlparse">python2-sqlparse</FullProductName>
</Branch>
<Branch Type="Product Version" Name="python3-sqlparse">
<FullProductName ProductID="python3-sqlparse">python3-sqlparse</FullProductName>
</Branch>
<Branch Type="Product Version" Name="python311-sqlparse">
<FullProductName ProductID="python311-sqlparse">python311-sqlparse</FullProductName>
</Branch>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="HPE Helion OpenStack 8">
<FullProductName ProductID="HPE Helion OpenStack 8:python-sqlparse">python-sqlparse as a component of HPE Helion OpenStack 8</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Enterprise Storage 7.1">
<FullProductName ProductID="SUSE Enterprise Storage 7.1:python3-sqlparse">python3-sqlparse as a component of SUSE Enterprise Storage 7.1</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Basesystem 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP5:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Basesystem 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Basesystem 15 SP6:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6</FullProductName>
</Relationship>
<Relationship ProductReference="python2-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Package Hub 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Package Hub 15 SP5:python2-sqlparse">python2-sqlparse as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Package Hub 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Package Hub 15 SP5:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Package Hub 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Package Hub 15 SP6:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6</FullProductName>
</Relationship>
<Relationship ProductReference="python311-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-sqlparse">python311-sqlparse as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Public Cloud 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP4:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4</FullProductName>
</Relationship>
<Relationship ProductReference="python311-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Public Cloud 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-sqlparse">python311-sqlparse as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP5</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Public Cloud 15 SP5">
<FullProductName ProductID="SUSE Linux Enterprise Module for Public Cloud 15 SP5:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP5</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Module for Python 3 15 SP6">
<FullProductName ProductID="SUSE Linux Enterprise Module for Python 3 15 SP6:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Module for Python 3 15 SP6</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP1-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP1-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server 15 SP1-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP1-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP1-LTSS:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Server 15 SP1-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP2-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server 15 SP2-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP2-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP2-LTSS:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Server 15 SP2-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP3-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP3-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server 15 SP3-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server 15 SP4-LTSS">
<FullProductName ProductID="SUSE Linux Enterprise Server 15 SP4-LTSS:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server 15 SP4-LTSS</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server for SAP Applications 15 SP2">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP2:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server for SAP Applications 15 SP2">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP2:python-sqlparse">python-sqlparse as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server for SAP Applications 15 SP3">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Linux Enterprise Server for SAP Applications 15 SP4">
<FullProductName ProductID="SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-sqlparse">python3-sqlparse as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Manager Proxy 4.3">
<FullProductName ProductID="SUSE Manager Proxy 4.3:python3-sqlparse">python3-sqlparse as a component of SUSE Manager Proxy 4.3</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Manager Retail Branch Server 4.3">
<FullProductName ProductID="SUSE Manager Retail Branch Server 4.3:python3-sqlparse">python3-sqlparse as a component of SUSE Manager Retail Branch Server 4.3</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE Manager Server 4.3">
<FullProductName ProductID="SUSE Manager Server 4.3:python3-sqlparse">python3-sqlparse as a component of SUSE Manager Server 4.3</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE OpenStack Cloud 8">
<FullProductName ProductID="SUSE OpenStack Cloud 8:python-sqlparse">python-sqlparse as a component of SUSE OpenStack Cloud 8</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE OpenStack Cloud 9">
<FullProductName ProductID="SUSE OpenStack Cloud 9:python-sqlparse">python-sqlparse as a component of SUSE OpenStack Cloud 9</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE OpenStack Cloud Crowbar 8">
<FullProductName ProductID="SUSE OpenStack Cloud Crowbar 8:python-sqlparse">python-sqlparse as a component of SUSE OpenStack Cloud Crowbar 8</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="SUSE OpenStack Cloud Crowbar 9">
<FullProductName ProductID="SUSE OpenStack Cloud Crowbar 9:python-sqlparse">python-sqlparse as a component of SUSE OpenStack Cloud Crowbar 9</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="openSUSE Leap 15.5">
<FullProductName ProductID="openSUSE Leap 15.5:python-sqlparse">python-sqlparse as a component of openSUSE Leap 15.5</FullProductName>
</Relationship>
<Relationship ProductReference="python3-sqlparse" RelationType="Default Component Of" RelatesToProductReference="openSUSE Leap 15.5">
<FullProductName ProductID="openSUSE Leap 15.5:python3-sqlparse">python3-sqlparse as a component of openSUSE Leap 15.5</FullProductName>
</Relationship>
<Relationship ProductReference="python-sqlparse" RelationType="Default Component Of" RelatesToProductReference="openSUSE Leap 15.6">
<FullProductName ProductID="openSUSE Leap 15.6:python-sqlparse">python-sqlparse as a component of openSUSE Leap 15.6</FullProductName>
</Relationship>
</ProductTree>
<Vulnerability xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" Ordinal="1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
</Note>
</Notes>
<CVE>CVE-2024-4340</CVE>
<ProductStatuses>
<Status Type="Known Affected">
<ProductID>HPE Helion OpenStack 8:python-sqlparse</ProductID>
<ProductID>SUSE Enterprise Storage 7.1:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Basesystem 15 SP5:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Basesystem 15 SP6:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Package Hub 15 SP5:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Package Hub 15 SP5:python2-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Package Hub 15 SP6:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Public Cloud 15 SP4:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Public Cloud 15 SP5:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Module for Python 3 15 SP6:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP1-LTSS:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP1-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP2-LTSS:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP2-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP3-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server 15 SP4-LTSS:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server for SAP Applications 15 SP2:python-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server for SAP Applications 15 SP2:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-sqlparse</ProductID>
<ProductID>SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-sqlparse</ProductID>
<ProductID>SUSE Manager Proxy 4.3:python3-sqlparse</ProductID>
<ProductID>SUSE Manager Retail Branch Server 4.3:python3-sqlparse</ProductID>
<ProductID>SUSE Manager Server 4.3:python3-sqlparse</ProductID>
<ProductID>SUSE OpenStack Cloud 8:python-sqlparse</ProductID>
<ProductID>SUSE OpenStack Cloud 9:python-sqlparse</ProductID>
<ProductID>SUSE OpenStack Cloud Crowbar 8:python-sqlparse</ProductID>
<ProductID>SUSE OpenStack Cloud Crowbar 9:python-sqlparse</ProductID>
<ProductID>openSUSE Leap 15.5:python-sqlparse</ProductID>
<ProductID>openSUSE Leap 15.5:python3-sqlparse</ProductID>
<ProductID>openSUSE Leap 15.6:python-sqlparse</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>important</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSetV3>
<BaseScoreV3>7.5</BaseScoreV3>
<VectorV3>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</VectorV3>
</ScoreSetV3>
</CVSSScoreSets>
</Vulnerability>
</cvrfdoc>
3. CVRF主要内容
CVRF一级节点有11个,具体如下:
- Title(标题): cvrf:DocumentTitle
- Type(类型): cvrf:DocumentType
- Publisher(发布者): cvrf:DocumentPublisher
- Tracking(跟踪): cvrf:DocumentTracking
- Notes(注释): cvrf:DocumentNotes
- Distribution(分发): cvrf:DocumentDistribution
- Aggregate Severity(严重级别): cvrf:AggregateSeverity
- References( 参考): cvrf:DocumentReferences
- Acknowledgements(致谢): cvrf:Acknowledgements
- Product Tree(产品树): prod:ProductTree
- Vulnerability(漏洞): vuln:Vulnerability
关于CVRF的文档的详细介绍可以参阅如下官方文档:
- pcsaf-cvrf-v1.2-cs01.pdf (访问密码: 6277)
4. CSAF是CVRF的替代品吗?
答案是肯定的。CSAF是通用漏洞报告框架(CVRF)的替代品,它增强了CVRF的能力,包括不同的配置文件(例如,CSAF基础、信息咨询、事件响应、VEX等)。每个配置文件通过强制使用标准中的其他字段,直接或间接地通过标准中的另一个配置文件扩展基本配置文件“CSAF基本”。概要文件总是可以添加,但决不能减去或覆盖其扩展的概要文件中定义的需求。CSAF还提供了CVRF不支持的几个附加增强功能。此外,CSAF使用JSON,而CVRF使用XML。
5. 参考
[1] https://github.com/oasis-tcs/csaf/tree/master/cvrf_1.2
[2] https://oasis-open.github.io/csaf-documentation/
[3] https://www.suse.com/zh-cn/support/security/cvrf/
[4] https://www.redhat.com/zh/blog/csaf-vex-documents-now-generally-available
[5] https://ftp.suse.com/pub/projects/security/cvrf-cve/
推荐阅读:
- 「 网络安全常用术语解读 」软件物料清单SBOM详解
- 「 网络安全常用术语解读 」SBOM主流格式CycloneDX详解
- 「 网络安全常用术语解读 」SBOM主流格式SPDX详解
- 「 网络安全常用术语解读 」SBOM主流格式CycloneDX详解
- 「 网络安全常用术语解读 」漏洞利用交换VEX详解
- 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
- 「 网络安全常用术语解读 」什么是0day、1day、nday漏洞
- 「 网络安全常用术语解读 」软件物料清单SBOM详解
- 「 网络安全常用术语解读 」杀链Kill Chain详解
- 「 网络安全常用术语解读 」点击劫持Clickjacking详解
- 「 网络安全常用术语解读 」悬空标记注入详解
- 「 网络安全常用术语解读 」内容安全策略CSP详解
- 「 网络安全常用术语解读 」同源策略SOP详解
- 「 网络安全常用术语解读 」静态分析结果交换格式SARIF详解
- 「 网络安全常用术语解读 」安全自动化协议SCAP详解
- 「 网络安全常用术语解读 」通用平台枚举CPE详解
- 「 网络安全常用术语解读 」通用缺陷枚举CWE详解
- 「 网络安全常用术语解读 」通用漏洞披露CVE详解
- 「 网络安全常用术语解读 」通用配置枚举CCE详解
- 「 网络安全常用术语解读 」通用漏洞评分系统CVSS详解
- 「 网络安全常用术语解读 」漏洞利用交换VEX详解
- 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
- 「 网络安全常用术语解读 」通用攻击模式枚举和分类CAPEC详解
- 「 网络安全常用术语解读 」网络攻击者的战术、技术和常识知识库ATT&CK详解