{"id":"PYSEC-2020-24","details":"asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.","aliases":["CVE-2020-17446","GHSA-2xpj-f5g2-8p7m"],"modified":"2023-11-08T04:02:41.394352Z","published":"2020-08-12T16:15:00Z","references":[{"type":"WEB","url":"https://github.com/MagicStack/asyncpg/releases/tag/v0.21.0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2xpj-f5g2-8p7m"}],"affected":[{"package":{"name":"asyncpg","ecosystem":"PyPI","purl":"pkg:pypi/asyncpg"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.21.0"}]}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.6.1","0.6.2","0.6.3","0.7.0","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.9.0.dev1","0.9.0","0.10.0","0.10.1","0.11.0","0.12.0","0.13.0","0.14.0","0.15.0","0.16.0","0.17.0","0.18.0","0.18.1","0.18.2","0.18.3","0.19.0","0.20.0","0.20.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/asyncpg/PYSEC-2020-24.yaml"}}],"schema_version":"1.7.3"}