EIQ-2019-0018#
ID |
EIQ-2019-0018 |
|---|---|
CVE |
|
Description |
SQL injection through group_by in SQLAlchemy 1.2.17 |
Date |
17 Apr 2019 |
Severity |
3 - HIGH |
CVSSv3 score |
7.8 |
Status |
✅ All versions |
Assessment |
In SQLAlchemy 1.2.17 an attacker could obtain control of the group_by parameter of the Query object, and they could use it to perform SQL injection. Note The vulnerability does not affect EclecticIQ Platform, because no platform releases use affected versions of this dependency. Therefore, there is no exposure surface to exploit the vulnerability in the platform. |
Mitigation |
Upgrade SQLAlchemy to version 1.2.18 or later. |
Affected versions |
None |
Notes |
For more information, see: |