PT-2012-2880 · Sqlalchemy+2 · Sqlalchemy+2
Nikita Savin
·
Published
2012-03-07
·
Updated
2022-05-14
·
CVE-2012-0805
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SQLAlchemy versions prior to 0.7.0b4
Description
The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the
limit or offset keyword to the select function. Additionally, unspecified vectors to the select.limit or select.offset function can be used.Recommendations
For versions prior to 0.7.0b4, update to version 0.7.0b4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the
select function with limit and offset keywords, as well as the select.limit and select.offset functions, until a patch is applied.Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centos
Red Hat
Sqlalchemy