CVE-2019-7164 — SQL Injection in Sqlalchemy

CWE-89 — SQL Injection11 documents8 sources

Severity

9.8CRITICALNVD

EPSS

1.5%

top 19.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sqlalchemy Debian Linux Opensuse Backports SLE +6 more

Timeline

PublishedFeb 20

Latest updateJan 15

Description

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶PyPIsqlalchemy/sqlalchemy1.3.0b1 — 1.3.0b3+1

▶Debiansqlalchemy/sqlalchemy< 1.2.18+ds1-2+3

▶NVDsqlalchemy/sqlalchemy1.2.17+1

▶NVDopensuse/leap15.0, 15.1+1

▶NVDopensuse/backports_sle15.0

Also affects: Debian Linux 8.0, 9.0, Enterprise Linux 8.0, 8.1, 8.2, 8.4

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

SQLAlchemy vulnerable to SQL Injection via order_by parameter↗2019-04-16

▶

GHSA

SQLAlchemy vulnerable to SQL Injection via order_by parameter↗2019-04-16

▶

CVEList

CVE-2019-7164: SQLAlchemy through 1↗2019-02-20

▶

OSV

CVE-2019-7164: SQLAlchemy through 1↗2019-02-20

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: ORMB DB Query in VSP (SQLAlchemy) — CVE-2019-7164↗2021-01-15

▶

Red Hat

python-sqlalchemy: SQL Injection when the order_by parameter can be controlled↗2019-02-01

▶

Debian

CVE-2019-7164: sqlalchemy - SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the...↗2019

▶

💬Community

Bugzilla

CVE-2019-7164 python-sqlalchemy: SQL Injection when the order_by parameter can be controlled↗2019-02-19

▶

Bugzilla

CVE-2019-7164 CVE-2019-7548 python-sqlalchemy: various flaws [fedora-all]↗2019-02-08

▶