{"id":"PYSEC-2019-124","details":"SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.","aliases":["CVE-2019-7548","GHSA-38fc-9xqv-7f7q"],"modified":"2023-11-01T05:44:38.917200Z","published":"2019-02-06T21:29:00Z","references":[{"type":"WEB","url":"https://github.com/no-security/sqlalchemy_test"},{"type":"REPORT","url":"https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0984"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0981"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-38fc-9xqv-7f7q"}],"affected":[{"package":{"name":"sqlalchemy","ecosystem":"PyPI","purl":"pkg:pypi/sqlalchemy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.18"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.3.10","0.3.11","0.4.0beta1","0.4.0beta2","0.4.0beta3","0.4.0beta4","0.4.0beta5","0.4.0beta6","0.4.0","0.4.1","0.4.2a","0.4.2b","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.5.0beta1","0.5.0beta2","0.5.0beta3","0.5.0rc1","0.5.0rc2","0.5.0rc3","0.5.0rc4","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.6beta1","0.6beta2","0.6beta3","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.7.9","0.7.10","0.8.0b2","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","0.9.10","1.0.0b1","1.0.0b2","1.0.0b3","1.0.0b4","1.0.0b5","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.1.0b1","1.1.0b2","1.1.0b3","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.1.10","1.1.11","1.1.12","1.1.13","1.1.14","1.1.15","1.1.16","1.1.17","1.1.18","1.2.0b1","1.2.0b2","1.2.0b3","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/sqlalchemy/PYSEC-2019-124.yaml"}}],"schema_version":"1.7.3"}