Vulnerability Database
Blog
FAQ
Docs
GHSA-38fc-9xqv-7f7q
Suggest an improvement
Source
https://github.com/advisories/GHSA-38fc-9xqv-7f7q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-38fc-9xqv-7f7q/GHSA-38fc-9xqv-7f7q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-38fc-9xqv-7f7q
Aliases
CVE-2019-7548
PYSEC-2019-124
Published
2019-04-16T15:50:39Z
Modified
2024-10-28T14:32:33.170926Z
Severity
7.8 (High)
CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Calculator
9.3 (Critical)
CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Calculator
Summary
SQLAlchemy is vulnerable to SQL Injection via group_by parameter
Details
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-7548
https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518
https://github.com/sqlalchemy/sqlalchemy/issues/4510
https://access.redhat.com/errata/RHSA-2019:0981
https://access.redhat.com/errata/RHSA-2019:0984
https://github.com/advisories/GHSA-38fc-9xqv-7f7q
https://github.com/no-security/sqlalchemy_test
https://github.com/pypa/advisory-database/tree/main/vulns/sqlalchemy/PYSEC-2019-124.yaml
https://github.com/sqlalchemy/sqlalchemy
https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html
https://lists.debian.org/debian-lts-announce/2021/11/msg00005.html
https://www.oracle.com/security-alerts/cpujan2021.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html
Affected packages
PyPI
/
sqlalchemy
Package
Name
sqlalchemy
View open source insights on deps.dev
Purl
pkg:pypi/sqlalchemy
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
1.2.19
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.4.0beta1
0.4.0beta2
0.4.0beta3
0.4.0beta4
0.4.0beta5
0.4.0beta6
0.4.0
0.4.1
0.4.2a
0.4.2b
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.5.0beta1
0.5.0beta2
0.5.0beta3
0.5.0rc1
0.5.0rc2
0.5.0rc3
0.5.0rc4
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6beta1
0.6beta2
0.6beta3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.8.0b2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
1.*
1.0.0b1
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.1.0b1
1.1.0b2
1.1.0b3
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.2.0b1
1.2.0b2
1.2.0b3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
GHSA-38fc-9xqv-7f7q - OSV