EIQ-2019-0018



ID

EIQ-2019-0018

CVE

CVE-2019-7548

Description

SQL injection through group_by in SQLAlchemy 1.2.17

Date

17 Apr 2019

Severity

3 - HIGH

CVSSv3 score

7.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

In SQLAlchemy 1.2.17 an attacker could obtain control of the group_by parameter of the Query object, and they could use it to perform SQL injection.


The vulnerability does not affect EclecticIQ Platform, because no platform releases use affected versions of this dependency.
Therefore, there is no exposure surface to exploit the vulnerability in the platform.

Mitigation

Upgrade SQLAlchemy to version 1.2.18 or later.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0