EIQ-2019-0019#
ID |
EIQ-2019-0019 |
|---|---|
CVE |
|
Description |
SQL injection through order_by in SQLAlchemy 1.2.17 and 1.3.x to 1.3.0b2 |
Date |
17 Apr 2019 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.8 |
Status |
✅ All versions |
Assessment |
In SQLAlchemy 1.2.17 and 1.3.x to 1.3.0b2 included, an attacker could obtain control of the order_by parameter of the Query object, and they could use it to perform SQL injection. Note The vulnerability does not affect EclecticIQ Platform, because no platform releases use affected versions of this dependency. Therefore, there is no exposure surface to exploit the vulnerability in the platform. |
Mitigation |
Upgrade SQLAlchemy to version 1.2.18 or later, or to version 1.3.1 or later. |
Affected versions |
None |
Notes |
For more information, see: |