Miggo Logo
Miggo Vulnerability Database
CVE-2024-9774

CVE-2024-9774:
python-sql SQL injection vulnerability

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-9774
GHSA ID
GHSA-pq9p-pc3p-9hm4
EPSS Score
0.26047%
CWE
CWE-150
Published
12/27/2024
Updated
2/7/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-sqlpip< 1.5.21.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unary operators (And/Or) not escaping non-Expression arguments. The bug report example shows And([Literal(True), 'foo']) produces unsafe SQL with raw 'foo' instead of a parameter. The commit f20551bbb8b3 explicitly addresses unary operator parameter handling. Since And and Or are core unary operators in sql.operators, their operand processing logic (likely in init or string serialization) is the root cause. The high confidence comes from direct evidence in the bug report, CVE description, and commit message linking to these operators.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in pyt*on-sql w**r* un*ry op*r*tors *o not *s**p* non-*xpr*ssion (lik* `*n*` *n* `Or`) w*i** m*k*s *ny syst*m *xposin* t*os* vuln*r**l* to *n SQL inj**tion *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom un*ry op*r*tors (*n*/Or) not *s**pin* non-*xpr*ssion *r*um*nts. T** *u* r*port *x*mpl* s*ows *n*([Lit*r*l(Tru*), '*oo']) pro*u**s uns*** SQL wit* r*w '*oo' inst*** o* * p*r*m*t*r. T** *ommit ************ *xpli*itly ***r*s