CVE-2019-7548
HIGH EPSS 75.4%
Published Feb 6, 20197y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
Published Feb 6, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
75.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-89 SQL Injection Injection
Affected Products 16
| Vendor | Product | Version | Range |
|---|---|---|---|
| sqlalchemy | sqlalchemy | 1.2.17 | any |
| debian | debian_linux | 8.0 | any |
| debian | debian_linux | 9.0 | any |
| opensuse | backports_sle | 15.0 | any |
| opensuse | leap | 15.0 | any |
| opensuse | leap | 15.1 | any |
| redhat | enterprise_linux | 8.0 | any |
| redhat | enterprise_linux_eus | 8.1 | any |
| redhat | enterprise_linux_eus | 8.2 | any |
| redhat | enterprise_linux_eus | 8.4 | any |
| redhat | enterprise_linux_server_aus | 8.2 | any |
| redhat | enterprise_linux_server_aus | 8.4 | any |
| redhat | enterprise_linux_server_tus | 8.2 | any |
| redhat | enterprise_linux_server_tus | 8.4 | any |
| oracle | communications_operations_monitor | 4.2 | any |
| oracle | communications_operations_monitor | 4.3 | any |
References 10
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html
- access.redhat.com https://access.redhat.com/errata/RHSA-2019:0981
- access.redhat.com https://access.redhat.com/errata/RHSA-2019:0984
- github.com https://github.com/no-security/sqlalchemy_test
- github.com https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518
- lists.debian.org https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/11/msg00005.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
Remediation
- github.com https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518
- oracle.com https://www.oracle.com/security-alerts/cpujan2021.html