PT-2019-5491 · Sqlalchemy+5 · Sqlalchemy+5

Publicado

2019-01-07

Atualizado

2021-11-30

CVE-2019-7548

CVSS v4.0

9.3

Crítica

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions SQLAlchemy version 1.2.17

Description The issue is related to SQL injection when the group by parameter can be controlled, allowing an attacker to execute arbitrary code. This is due to a lack of protection measures for the SQL query structure.

Recommendations For SQLAlchemy version 1.2.17, consider restricting access to the group by parameter to prevent its manipulation by unauthorized users. As a temporary workaround, avoid using the group by parameter in sensitive queries until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

ALSA-2019:0981

ALSA-2019:0984

BDU:2020-03282

CESA-2019_0981

CESA-2019_0984

CVE-2019-7548

DLA-1718-1

DLA-2811-1

GHSA-38FC-9XQV-7F7Q

MGASA-2019-0350

OESA-2021-1274

OPENSUSE-SU-2019:2039-1

OPENSUSE-SU-2019:2064-1

OPENSUSE-SU-2019:2078-1

OPENSUSE-SU-2019_2039-1

OPENSUSE-SU-2019_2064-1

PYSEC-2019-124

RHSA-2019:0981

RHSA-2019:0984

RHSA-2019_0981

RHSA-2019_0984

RLSA-2019:0981

RLSA-2019:0984

SUSE-SU-2019:2211-1

SUSE-SU-2019:2253-1

SUSE-SU-2019:2253-2

SUSE-SU-2019:2261-1

SUSE-SU-2019:2267-1

SUSE-SU-2019:2350-1

SUSE-SU-2019:2374-1

Produtos afetados

Almalinux

Centos

Red Hat

Rocky Linux

Sqlalchemy

Suse

PT-2019-5491 · Sqlalchemy+5 · Sqlalchemy+5

CVE-2019-7548

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 148