SqlAlchemy vulnerabilities CVE-2019-7164

ANAND NARAYAN

unread,

Sep 13, 2019, 5:07:27 AM9/13/19

to sqlalchemy

Hi,

Is the security vulneratbility listed in National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-7164) fixed in latest version v1.3.8 ?

Thanks

Regards

Anand

Mike Bayer

unread,

Sep 13, 2019, 10:31:22 AM9/13/19

to noreply-spamdigest via sqlalchemy

yes. per the headline linked in that article: "SQLAlchemy through 1.2.17 and 1.3.x **through 1.3.0b2** allows SQL Injection via the order_by parameter." Version 1.3.8 is much newer than version 1.3.0b2. The changelog for the issue is noted in 1.3.0b3 at https://docs.sqlalchemy.org/en/13/changelog/changelog_13.html#change-096e1e64a6a2c7ad62313c83506341a3 .

--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper

http://www.sqlalchemy.org/

To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description.
---
You received this message because you are subscribed to the Google Groups "sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sqlalchemy/bd155880-23fe-4c1c-8568-3c07d40341fa%40googlegroups.com.

Message has been deleted

ANAND NARAYAN

unread,

Sep 14, 2019, 12:39:04 AM9/14/19

to sqlalchemy

Mike thanks for sharing the information.

Best Regards,

Anand

On Friday, September 13, 2019 at 8:01:22 PM UTC+5:30, Mike Bayer wrote:

yes. per the headline linked in that article: "SQLAlchemy through 1.2.17 and 1.3.x **through 1.3.0b2** allows SQL Injection via the order_by parameter." Version 1.3.8 is much newer than version 1.3.0b2. The changelog for the issue is noted in 1.3.0b3 at https://docs.sqlalchemy.org/en/13/changelog/changelog_13.html#change-096e1e64a6a2c7ad62313c83506341a3 .

On Fri, Sep 13, 2019, at 5:07 AM, 'ANAND NARAYAN' via sqlalchemy wrote:

Hi,
Is the security vulneratbility listed in National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-7164) fixed in latest version v1.3.8 ?

Thanks

Regards
Anand

--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper

http://www.sqlalchemy.org/

To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description.
---
You received this message because you are subscribed to the Google Groups "sqlalchemy" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sqlal...@googlegroups.com.

Reply all

Reply to author

Forward