Vulnerability Description
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
CVSS Score
7.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sqlalchemy | Sqlalchemy | 1.2.17 |
| Debian | Debian Linux | 8.0 |
| Opensuse | Backports Sle | 15.0 |
| Opensuse | Leap | 15.0 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Eus | 8.1 |
| Redhat | Enterprise Linux Server Aus | 8.2 |
| Redhat | Enterprise Linux Server Tus | 8.2 |
| Oracle | Communications Operations Monitor | 4.2 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.htmlMailing ListThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0981Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0984Third Party Advisory
- https://github.com/no-security/sqlalchemy_testExploitThird Party Advisory
- https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/03/msg00020.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00005.htmlMailing ListThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.htmlMailing ListThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0981Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0984Third Party Advisory
FAQ
What is CVE-2019-7548?
CVE-2019-7548 is a vulnerability with a CVSS score of 7.8 (HIGH). SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
How severe is CVE-2019-7548?
CVE-2019-7548 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-7548?
Check the references section above for vendor advisories and patch information. Affected products include: Sqlalchemy Sqlalchemy, Debian Debian Linux, Opensuse Backports Sle, Opensuse Leap, Redhat Enterprise Linux.