Proposal: Secure Coding Case Study for CVE-2024-36039 (SQL Injection in PyMySQL)

[tarundattagondi]

We are proposing to write a case study on the SQL injection vulnerability in the PyMySQL library (CVE-2024-36039).

Description: PyMySQL through version 1.1.0 allows SQL injection if used with untrusted JSON input because dictionary keys are not escaped by the escape_dict function. An attacker can send specially crafted input to execute arbitrary SQL commands on the database, leading to unauthorized access or data manipulation.

Proposed vulnerability: CVE-2024-36039
Software: PyMySQL (Python MySQL client library)
Primary weakness: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 9.8 (Critical)

Group Members:

1. Gondi Tarun Datta (G01547449)
2. Goduguluri Varshitha (G01539592)

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-36039
• https://github.com/PyMySQL/PyMySQL
• PyMySQL/PyMySQL@521e400

[abuttner]

Sounds good! Make sure you focus on the coding mistake made by the developer and walk the reader through the issue line by line. Then show how it could be exploited and how the developer fixed the issue.