PT-2019-5718 · Sqlalchemy+5 · Sqlalchemy+5

Publicado

2019-02-01

·

Atualizado

2024-06-15

·

CVE-2019-7164

CVSS v4.0

10

Crítica

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions SQLAlchemy versions 1.2.17 and earlier SQLAlchemy versions 1.3.x through 1.3.0b2
Description The issue is related to SQL injection via the order by parameter. This allows an attacker to potentially execute arbitrary code. The vulnerability is due to a lack of protection for the SQL query structure.
Recommendations For SQLAlchemy versions 1.2.17 and earlier, update to a version later than 1.2.17 to resolve the issue. For SQLAlchemy versions 1.3.x through 1.3.0b2, update to a version later than 1.3.0b2 to resolve the issue. As a temporary workaround, consider restricting the use of the order by parameter to minimize the risk of exploitation.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

ALSA-2019:0981
ALSA-2019:0984
BDU:2021-00766
CESA-2019_0981
CESA-2019_0984
CVE-2019-7164
DLA-1718-1
DLA-2811-1
GHSA-887W-45RQ-VXGF
MGASA-2019-0350
OESA-2021-1039
OESA-2021-1071
OPENSUSE-SU-2019:2039-1
OPENSUSE-SU-2019:2064-1
OPENSUSE-SU-2019:2078-1
OPENSUSE-SU-2019_2039-1
OPENSUSE-SU-2019_2064-1
OPENSUSE-SU-2024:11211-1
OPENSUSE-SU-2024:12915-1
PYSEC-2019-123
RHSA-2019:0981
RHSA-2019:0984
RHSA-2019_0981
RHSA-2019_0984
RLSA-2019:0981
RLSA-2019:0984
SUSE-SU-2019:2211-1
SUSE-SU-2019:2253-1
SUSE-SU-2019:2253-2
SUSE-SU-2019:2261-1
SUSE-SU-2019:2267-1
SUSE-SU-2019:2350-1
SUSE-SU-2019:2374-1
SUSE-SU-2019_2211-1
SUSE-SU-2019_2253-1
SUSE-SU-2019_2253-2

Produtos afetados

Almalinux
Centos
Red Hat
Rocky Linux
Sqlalchemy
Suse