PT-2020-12490 · Tortoise · Tortoise Orm

Grigipublished

Published

2020-04-20

Updated

2020-04-28

CVE-2020-11010

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tortoise ORM versions prior to 0.15.23 Tortoise ORM versions prior to 0.16.6

Description The issue affects Tortoise ORM, where various forms of SQL injection have been found for MySQL when filtering or doing mass-updates on char/text fields. SQLite and PostgreSQL are only affected when filtering with contains, starts with, or ends with filters (and their case-insensitive counterparts).

Recommendations For Tortoise ORM versions prior to 0.15.23, please upgrade to 0.15.23 or later. For Tortoise ORM versions prior to 0.16.6, please upgrade to 0.16.6 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-11010

GHSA-9J2C-X8QM-QMJQ

PYSEC-2020-144

Affected Products

Tortoise Orm

PT-2020-12490 · Tortoise · Tortoise Orm

CVE-2020-11010

Weakness Enumeration

Related Identifiers

Affected Products

References · 9