Candidate: CVE-2019-7548
PublicDate: 2019-02-06 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548
 https://github.com/no-security/sqlalchemy_test
Description:
 SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be
 controlled.
Ubuntu-Description:
Notes:
 mdeslaur> since 1.0, sqlalchemy issues a warning when text() is omitted
 mdeslaur> this fix for this issue turns the warning into an error
 mdeslaur> since this change may break existing applications, it may not
 mdeslaur> get fixed, marking priority as low
Bugs:
 https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_sqlalchemy:
 upstream: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
upstream_sqlalchemy: needs-triage
precise/esm_sqlalchemy: DNE
trusty_sqlalchemy: ignored (reached end-of-life)
trusty/esm_sqlalchemy: DNE (trusty was needed)
xenial_sqlalchemy: ignored (end of standard support, was needed)
esm-infra/xenial_sqlalchemy: needed
bionic_sqlalchemy: needed
cosmic_sqlalchemy: ignored (reached end-of-life)
disco_sqlalchemy: ignored (reached end-of-life)
eoan_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
focal_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
groovy_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
hirsute_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
impish_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
jammy_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)
devel_sqlalchemy: not-affected (1.2.18+ds1-2ubuntu1)