PT-2019-5491 · Sqlalchemy+5 · Sqlalchemy+5

Published

2019-01-07

Updated

2021-11-30

CVE-2019-7548

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions SQLAlchemy version 1.2.17

Description The issue is related to SQL injection when the group by parameter can be controlled, allowing an attacker to execute arbitrary code. This is due to a lack of protection measures for the SQL query structure.

Recommendations For SQLAlchemy version 1.2.17, consider restricting access to the group by parameter to prevent its manipulation by unauthorized users. As a temporary workaround, avoid using the group by parameter in sensitive queries until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALSA-2019:0981

ALSA-2019:0984

BDU:2020-03282

CESA-2019_0981

CESA-2019_0984

CVE-2019-7548

DLA-1718-1

DLA-2811-1

GHSA-38FC-9XQV-7F7Q

MGASA-2019-0350

OESA-2021-1274

OPENSUSE-SU-2019:2039-1

OPENSUSE-SU-2019:2064-1

OPENSUSE-SU-2019:2078-1

OPENSUSE-SU-2019_2039-1

OPENSUSE-SU-2019_2064-1

PYSEC-2019-124

RHSA-2019:0981

RHSA-2019:0984

RHSA-2019_0981

RHSA-2019_0984

RLSA-2019:0981

RLSA-2019:0984

SUSE-SU-2019:2211-1

SUSE-SU-2019:2253-1

SUSE-SU-2019:2253-2

SUSE-SU-2019:2261-1

SUSE-SU-2019:2267-1

SUSE-SU-2019:2350-1

SUSE-SU-2019:2374-1

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Sqlalchemy

Suse

PT-2019-5491 · Sqlalchemy+5 · Sqlalchemy+5

CVE-2019-7548

Weakness Enumeration

Related Identifiers

Affected Products

References · 148