4 results (0.007 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2

CVE-2022-40023 – python-mako: REDoS in Lexer class

https://notcve.org/view.php?id=CVE-2022-40023

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin. Sqlalchemy mako versiones anteriores a 1.2.2, es vulnerable a una Denegación de Servicio de expresiones Regulares cuando es usada la clase Lexer para analizar. Esto también afecta a babelplugin y linguaplugin A vulnerability was found in the mako package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability. • https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21 https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c https://github.com/sqlalchemy/mako/issues/366 https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages https://pyup.io/vulnerabilities/CVE-2022-40023/50870 https://access.redhat.com/security/cve/CVE-2022-40023 https://bugzilla.redhat.com • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 9.8EPSS: 1%CPEs: 18EXPL: 1

CVE-2019-7164 – python-sqlalchemy: SQL Injection when the order_by parameter can be controlled

https://notcve.org/view.php?id=CVE-2019-7164

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. SQLAlchemy, hasta la versión 1.2.17 y las 1.3.x hasta la 1.3.0b2, permite Inyección SQL mediante el parámetro "order_by". • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html https://access.redhat.com/errata/RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0984 https://github.com/sqlalchemy/sqlalchemy/issues/4481 https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html https://lists.debian.org/debian-lts-announce/2021/11&#x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.8EPSS: 0%CPEs: 16EXPL: 1

CVE-2019-7548 – python-sqlalchemy: SQL Injection when the group_by parameter can be controlled

https://notcve.org/view.php?id=CVE-2019-7548

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. SQLAlchemy 1.2.17 tiene una inyección SQL cuando el parámetro group_by se puede controlar. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html https://access.redhat.com/errata/RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0984 https://github.com/no-security/sqlalchemy_test https://github.com/sqlalchemy/sqlalchemy/issues/4481#issuecomment-461204518 https://lists.debian.org/debian-lts-announce/2019/03/msg0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 1

CVE-2012-0805 – python-sqlalchemy: SQL injection flaw due to not checking LIMIT input for correct type

https://notcve.org/view.php?id=CVE-2012-0805

Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function. Múltiples vulnerabilidades de inyección SQL en SQLAlchemy antes v0.7.0b4, tal y como se usa en Keystone, permite a atacantes remotos ejecutar comandos SQL a través de las palabras clave (1) limit (límite) o (2) offset (desplazamiento) a la función de select (selección), o de vectores no especificados a las funciones (3) select.limit o (4) select.offset. • http://rhn.redhat.com/errata/RHSA-2012-0369.html http://secunia.com/advisories/48327 http://secunia.com/advisories/48328 http://secunia.com/advisories/48771 http://www.debian.org/security/2012/dsa-2449 http://www.mandriva.com/security/advisories?name=MDVSA-2012:059 http://www.sqlalchemy.org/changelog/CHANGES_0_7_0 http://www.sqlalchemy.org/trac/changeset/852b6a1a87e7 https://bugs.launchpad.net/keystone/+bug/918608 https://exchange.xforce.ibmcloud.com/vulnerabilities/73756 https • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •