CVE-2019-7548
Published: 6 February 2019
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
Notes
Author | Note |
---|---|
mdeslaur | since 1.0, sqlalchemy issues a warning when text() is omitted this fix for this issue turns the warning into an error since this change may break existing applications, it may not get fixed, marking priority as low |
Priority
Status
Package | Release | Status |
---|---|---|
sqlalchemy Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
focal |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
impish |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
groovy |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
xenial |
Needed
|
|
jammy |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
kinetic |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
lunar |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
hirsute |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
mantic |
Not vulnerable
(1.2.18+ds1-2ubuntu1)
|
|
Patches: upstream: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |