Vulnerability Description
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tortoise Orm Project | Tortoise Orm | < 0.15.23 |
Related Weaknesses (CWE)
References
- https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049PatchThird Party Advisory
- https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjqThird Party Advisory
- https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049PatchThird Party Advisory
- https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjqThird Party Advisory
FAQ
What is CVE-2020-11010?
CVE-2020-11010 is a vulnerability with a CVSS score of 6.3 (MEDIUM). In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only ...
How severe is CVE-2020-11010?
CVE-2020-11010 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11010?
Check the references section above for vendor advisories and patch information. Affected products include: Tortoise Orm Project Tortoise Orm.