CVE-2016-8640
SQL Injection in pycsw
9.1
CRITICAL
CVSS 3.1
EPSS 0.86%
Description
A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.
How to fix CVE-2016-8640
To remediate CVE-2016-8640, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.2+dfsg-1 or later
- —upgrade to 2.0.2 or later
- —upgrade to 2.0.2 or later
Is CVE-2016-8640 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.0.2+dfsg-1
- >= 2.0.0, < 2.0.2
- >= 2.0.0, < 2.0.2, >= 1.10.0, < 1.10.5, from 0, < 1.8.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |