CVE-2019-7548: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77155%
CWE
Published
4/16/2019
Updated
10/28/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
SQLAlchemy | pip | < 1.2.19 | 1.2.19 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerable functions are identified based on the information that the group_by parameter was not properly validated, leading to a SQL injection vulnerability. The patch for CVE-2019-7548 and related discussions indicate that the handling of group_by and order_by was modified to address this issue. Thus, functions related to these parameters are considered vulnerable.