PT-2012-2880 · Sqlalchemy+2 · Sqlalchemy+2
Nikita Savin
·
Publicado
2012-03-07
·
Atualizado
2022-05-14
·
CVE-2012-0805
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SQLAlchemy versions prior to 0.7.0b4
Description
The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the
limit or offset keyword to the select function. Additionally, unspecified vectors to the select.limit or select.offset function can be used.Recommendations
For versions prior to 0.7.0b4, update to version 0.7.0b4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the
select function with limit and offset keywords, as well as the select.limit and select.offset functions, until a patch is applied.Exploit
Correção
RCE
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Centos
Red Hat
Sqlalchemy