GHSA-887w-45rq-vxgf

Source

https://github.com/advisories/GHSA-887w-45rq-vxgf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-887w-45rq-vxgf

Aliases

Published

2019-04-16T15:50:41Z

Modified

2024-10-28T14:34:47.963400Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SQLAlchemy vulnerable to SQL Injection via order_by parameter

Details

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

Database specific

{
    "nvd_published_at": "2019-02-20T00:29:00Z",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:24:54Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

PyPI / sqlalchemy

Package

Name: sqlalchemy; View open source insights on deps.dev
Purl: pkg:pypi/sqlalchemy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0b1

Fixed

1.3.0b3

Affected versions

1.*

1.3.0b1

1.3.0b2

PyPI / sqlalchemy

Package

Name: sqlalchemy; View open source insights on deps.dev
Purl: pkg:pypi/sqlalchemy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.18

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.11

0.4.0beta1

0.4.0beta2

0.4.0beta3

0.4.0beta4

0.4.0beta5

0.4.0beta6

0.4.0

0.4.1

0.4.2a

0.4.2b

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.5.0beta1

0.5.0beta2

0.5.0beta3

0.5.0rc1

0.5.0rc2

0.5.0rc3

0.5.0rc4

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.6beta1

0.6beta2

0.6beta3

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.7.9

0.7.10

0.8.0b2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

1.*

1.0.0b1

1.0.0b2

1.0.0b3

1.0.0b4

1.0.0b5

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.1.0b1

1.1.0b2

1.1.0b3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.1.18

1.2.0b1

1.2.0b2

1.2.0b3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17