EIQ-2019-0019



ID

EIQ-2019-0019

CVE

CVE-2019-7164

Description

SQL injection through order_by in SQLAlchemy 1.2.17 and 1.3.x to 1.3.0b2

Date

17 Apr 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

In SQLAlchemy 1.2.17 and 1.3.x to 1.3.0b2 included, an attacker could obtain control of the order_by parameter of the Query object, and they could use it to perform SQL injection.


The vulnerability does not affect EclecticIQ Platform, because no platform releases use affected versions of this dependency.
Therefore, there is no exposure surface to exploit the vulnerability in the platform.

Mitigation

Upgrade SQLAlchemy to version 1.2.18 or later, or to version 1.3.1 or later.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0