Miggo Logo

CVE-2019-7548: SQLAlchemy is vulnerable to SQL Injection via group_by parameter

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.77155%
Published
4/16/2019
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
SQLAlchemypip< 1.2.191.2.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerable functions are identified based on the information that the group_by parameter was not properly validated, leading to a SQL injection vulnerability. The patch for CVE-2019-7548 and related discussions indicate that the handling of group_by and order_by was modified to address this issue. Thus, functions related to these parameters are considered vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL*l***my *.*.** **s SQL Inj**tion w**n t** *roup_*y p*r*m*t*r **n ** *ontroll**.

Reasoning

T** vuln*r**l* *un*tions *r* i**nti*i** **s** on t** in*orm*tion t**t t** *roup_*y p*r*m*t*r w*s not prop*rly v*li**t**, l***in* to * SQL inj**tion vuln*r**ility. T** p*t** *or *V*-****-**** *n* r*l*t** *is*ussions in*i**t* t**t t** **n*lin* o* *roup