SQL Injection Affecting sqlalchemy package, versions [,1.2.18)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.18% (55th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SQLALCHEMY-173678
- published 11 Feb 2019
- disclosed 1 Feb 2019
- credit Unknown
How to fix?
Upgrade SQLAlchemy
to version 1.2.18 or higher.
Overview
SQLAlchemy is a python SQL Toolkit and Object Relational Mapper.
Affected versions of this package are vulnerable to SQL Injection when the group_by
and order_by
parameter can be controlled.
NOTE: This vulnerability has also been identified as: CVE-2019-7164