CVE-2019-7548

Aliases:GHSA-38fc-9xqv-7f7qPYSEC-2019-124
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 06 Feb 2019, 21:00
Last modified:04 Aug 2024, 20:54

Vulnerability Summary

Overall Risk (default)
medium
41/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
1.09% LOW
1% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

06 Feb 2019, 21:00
Published
Vulnerability first disclosed
04 Aug 2024, 20:54
Last Modified
Vulnerability information updated

Description

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 7.8CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.09% Percentile: 78%

Techniques & Countermeasures

  • CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

  • debiandebian_linux

    8.0 | 9.0

  • opensusebackports_sle

    15.0

  • opensuseleap

    15.0 | 15.1

  • oraclecommunications_operations_monitor

    4.2 | 4.3

  • PyPIsqlalchemy

    < 1.2.19 | < 1.2.18

  • redhatenterprise_linux

    8.0

  • redhatenterprise_linux_eus

    8.1 | 8.2 | 8.4

  • redhatenterprise_linux_server_aus

    8.2 | 8.4

  • redhatenterprise_linux_server_tus

    8.2 | 8.4

  • sqlalchemysqlalchemy

    1.2.17

References (15)