SQL Injection Affecting sqlalchemy package, versions [,1.2.18)
Threat Intelligence
EPSS
0.24% (65th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SQLALCHEMY-173678
- published 11 Feb 2019
- disclosed 1 Feb 2019
- credit Unknown
How to fix?
Upgrade SQLAlchemy
to version 1.2.18 or higher.
Overview
SQLAlchemy is a python SQL Toolkit and Object Relational Mapper.
Affected versions of this package are vulnerable to SQL Injection when the group_by
and order_by
parameter can be controlled.
NOTE: This vulnerability has also been identified as: CVE-2019-7164
References
CVSS Scores
version 3.1