PYSEC-2023-241

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/piccolo/PYSEC-2023-241.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2023-241

Aliases

Published

2023-11-10T18:15:00Z

Modified

2024-01-23T23:21:13.409656Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name parameter to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this functionality they would have essentially direct access to the database and the ability to modify data to the level of permissions associated with the database user. A non exhaustive list of actions possible based on database permissions is: Read all data stored in the database, including usernames and password hashes; insert arbitrary data into the database, including modifying existing records; and gain a shell on the underlying server. Version 1.1.1 fixes this issue.

References

Affected packages

PyPI / piccolo

Package

Name: piccolo; View open source insights on deps.dev
Purl: pkg:pypi/piccolo

Affected ranges

Type: GIT
Repo: https://github.com/piccolo-orm/piccolo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

82679eb8cd1449cf31d87c9914a072e70168b6eb

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.4.0

0.4.1

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.14.7

0.14.8

0.14.9

0.14.10

0.14.11

0.14.12

0.14.13

0.15.0

0.15.1

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.19.0

0.19.1

0.20.0

0.21.0

0.21.1

0.21.2

0.22.0

0.23.0

0.24.0

0.24.1

0.25.0

0.26.0

0.27.0

0.28.0

0.29.0

0.30.0

0.31.0

0.32.0

0.33.0

0.33.1

0.34.0

0.35.0

0.36.0

0.37.0

0.38.0

0.38.1

0.38.2

0.39.0

0.40.0

0.40.1

0.41.0

0.41.1

0.42.0

0.43.0

0.44.0

0.44.1

0.45.0

0.45.1

0.46.0

0.47.0

0.48.0

0.49.0

0.50.0

0.51.0

0.51.1

0.52.0

0.53.0

0.54.0

0.55.0

0.56.0

0.57.0

0.58.0

0.59.0

0.60.0

0.60.1

0.60.2

0.61.0

0.61.1

0.61.2

0.62.0

0.62.1

0.62.2

0.62.3

0.63.0

0.63.1

0.64.0

0.65.0

0.65.1

0.66.0

0.66.1

0.67.0

0.68.0

0.69.0

0.69.1

0.69.2

0.69.3

0.69.4

0.69.5

0.70.0

0.70.1

0.71.0

0.71.1

0.72.0

0.73.0

0.74.0

0.74.1

0.74.2

0.74.3

0.74.4

0.75.0

0.76.0

0.76.1

0.77.0

0.78.0

0.79.0

0.80.0

0.80.1

0.80.2

0.81.0

0.82.0

0.83.0

0.84.0

0.85.0

0.85.1

0.86.0

0.87.0

0.88.0

0.89.0

0.90.0

0.91.0

0.92.0

0.93.0

0.94.0

0.95.0

0.96.0

0.97.0

0.98.0

0.99.0

0.100.0

0.101.0

0.102.0

0.103.0

0.104.0

0.105.0

0.106.0

0.107.0

0.108.0

0.109.0

0.110.0

0.111.0

0.111.1

0.112.0

0.112.1

0.113.0

0.114.0

0.115.0

0.116.0

0.117.0

0.118.0

0.119.0

0.120.0

0.121.0

1.*

1.0a1

1.0a2

1.0a3

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0