CVE-2019-7548 — SQL Injection in Sqlalchemy

CWE-89 — SQL Injection10 documents7 sources

Severity

7.8HIGHNVD

EPSS

1.2%

top 20.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sqlalchemy Debian Linux Opensuse Backports SLE +6 more

Timeline

PublishedFeb 6

Latest updateApr 16

Description

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶PyPIsqlalchemy/sqlalchemy< 1.2.19

▶Debiansqlalchemy/sqlalchemy< 1.2.18+ds1-2+3

▶NVDsqlalchemy/sqlalchemy1.2.17

▶NVDopensuse/leap15.0, 15.1+1

▶NVDopensuse/backports_sle15.0

Also affects: Debian Linux 8.0, 9.0, Enterprise Linux 8.0, 8.1, 8.2, 8.4

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

SQLAlchemy is vulnerable to SQL Injection via group_by parameter↗2019-04-16

▶

GHSA

SQLAlchemy is vulnerable to SQL Injection via group_by parameter↗2019-04-16

▶

CVEList

CVE-2019-7548: SQLAlchemy 1↗2019-02-06

▶

OSV

CVE-2019-7548: SQLAlchemy 1↗2019-02-06

▶

📋Vendor Advisories

Red Hat

python-sqlalchemy: SQL Injection when the group_by parameter can be controlled↗2019-02-01

▶

Debian

CVE-2019-7548: sqlalchemy - SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlle...↗2019

▶

💬Community

Bugzilla

CVE-2019-7164 python-sqlalchemy: SQL Injection when the order_by parameter can be controlled↗2019-02-19

▶

Bugzilla

CVE-2019-7548 python-sqlalchemy: SQL Injection when the group_by parameter can be controlled↗2019-02-08

▶

Bugzilla

CVE-2019-7164 CVE-2019-7548 python-sqlalchemy: various flaws [fedora-all]↗2019-02-08

▶