SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Debian
  • Debian Linux
Opensuse
  • Backports Sle
  • Leap
Oracle
  • Communications Operations Monitor
Redhat
  • Enterprise Linux
  • Enterprise Linux Eus
  • Enterprise Linux Server Aus
  • Enterprise Linux Server Tus
Sqlalchemy
  • Sqlalchemy

Configuration 1 [-]

cpe:2.3:a:sqlalchemy:sqlalchemy:1.2.17:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*

Configuration 5 [-]

OR cpe:2.3:a:oracle:communications_operations_monitor:4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
python27:2.7-8000020190410132513.c0efe978 cpe:/a:redhat:enterprise_linux:8 RHSA-2019:0981 2019-05-07T00:00:00Z
python36:3.6-8000020190410133122.593c47b3 cpe:/a:redhat:enterprise_linux:8 RHSA-2019:0984 2019-05-07T00:00:00Z
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0981 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0984 cve-icon cve-icon
https://github.com/no-security/sqlalchemy_test cve-icon cve-icon
https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2021/11/msg00005.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-7548 cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-7548 cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-06T21:00:00

Updated: 2024-08-04T20:54:27.873Z

Reserved: 2019-02-06T00:00:00

Link: CVE-2019-7548

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2019-02-06T21:29:01.063

Modified: 2021-11-30T19:52:29.610

Link: CVE-2019-7548

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-02-01T00:00:00Z

Links: CVE-2019-7548 - Bugzilla