SQL Injection Vulnerability in SQLAlchemy Affected by User-Controlled Parameters
CVE-2019-7548

7.8HIGH

Key Information:

Vendor

Sqlalchemy

Status
Sqlalchemy
Vendor
CVE Published:
6 February 2019

What is CVE-2019-7548?

SQLAlchemy version 1.2.17 contains a vulnerability that allows attackers to exploit a SQL Injection flaw when the group_by parameter is externally controlled. This weakness could lead to unauthorized access to sensitive data or manipulation of database queries. It is crucial for users to update to a secure version of SQLAlchemy to protect against potential exploitation.

References

https://lists.debian.org/debian-lts-announce/2019/03/msg0...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:0984
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0981
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.