First published: Fri Feb 01 2019(Updated: )
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Sqlalchemy Sqlalchemy | <=1.2.17 | |
Sqlalchemy Sqlalchemy | =1.3.0-beta1 | |
Sqlalchemy Sqlalchemy | =1.3.0-beta2 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
openSUSE Backports SLE | =15.0 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Oracle Communications Operations Monitor | =4.2 | |
Oracle Communications Operations Monitor | =4.3 | |
pip/SQLAlchemy | >=0<1.2.18 | 1.2.18 |
pip/SQLAlchemy | >=1.3.0b1<1.3.0b3 | 1.3.0b3 |
<=1.2.17 | ||
=1.3.0-beta1 | ||
=1.3.0-beta2 | ||
=8.0 | ||
=9.0 | ||
=15.0 | ||
=15.0 | ||
=15.1 | ||
=8.0 | ||
=8.1 | ||
=8.2 | ||
=8.4 | ||
=8.2 | ||
=8.4 | ||
=8.2 | ||
=8.4 | ||
=4.2 | ||
=4.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-7164 is critical with a CVSS score of 9.8.
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
The following software versions are affected by CVE-2019-7164: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2.
To fix CVE-2019-7164, upgrade SQLAlchemy to version 1.3.0 or later.
You can find more information about CVE-2019-7164 at the following links: [CVE-2019-7164](https://www.cve.org/CVERecord?id=CVE-2019-7164), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-7164), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1678520), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:0981).