Miggo Logo
Miggo Vulnerability Database
CVE-2019-7164

CVE-2019-7164:
SQLAlchemy vulnerable to SQL Injection via order_by parameter

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7164
GHSA ID
GHSA-887w-45rq-vxgf
EPSS Score
0.82747%
CWE
CWE-89
Published
4/16/2019
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
SQLAlchemypip>= 1.3.0b1, < 1.3.0b31.3.0b3
SQLAlchemypip>= 0, < 1.2.181.2.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on changes related to handling textual SQL and order_by parameters, identifying functions that were modified to prevent SQL injection. These include compiler and element processing functions, as well as specific dialect validation methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL*l***my t*rou** *.*.** *n* *.*.x t*rou** *.*.*** *llows SQL Inj**tion vi* t** or**r_*y p*r*m*t*r.

Reasoning

T** *n*lysis *o*us** on ***n**s r*l*t** to **n*lin* t*xtu*l SQL *n* `or**r_*y` p*r*m*t*rs, i**nti*yin* `*un*tions` t**t w*r* mo*i*i** to pr*v*nt SQL inj**tion. T**s* in*lu** `*ompil*r` *n* `*l*m*nt` pro**ssin* `*un*tions`, *s w*ll *s sp**i*i* `*i*l**