SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
{ "affected_functions": [ "sqlalchemy.dialects.postgresql.base.PGDDLCompiler.visit_create_index", "sqlalchemy.dialects.postgresql.base.PGDDLCompiler.visit_exclude_constraint", "sqlalchemy.orm.session.Session.execute", "sqlalchemy.sql.compiler.SQLCompiler.visit_textual_label_reference", "sqlalchemy.sql.compiler.SQLCompiler.visit_function", "sqlalchemy.sql.compiler.DDLCompiler.define_constraint_cascades", "sqlalchemy.sql.compiler.DDLCompiler.define_constraint_deferrability", "sqlalchemy.sql.compiler.IdentifierPreparer.validate_sql_phrase", "sqlalchemy.sql.elements._document_text_coercion", "sqlalchemy.sql.elements._expression_literal_as_text", "sqlalchemy.sql.elements._literal_as", "sqlalchemy.sql.elements._interpret_as_column_or_from", "sqlalchemy.sql.selectable._interpret_as_from", "sqlalchemy.sql.selectable.HasSuffixes._setup_suffixes" ] }