GHSA-9j2c-x8qm-qmjq

Опубликовано: 20 апр. 2020

Источник: github

Github: Прошло ревью

CVSS4: 5.3

CVSS3: 6.3

Описание

SQL injection in Tortoise ORM

Impact

Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)

Patches

Please upgrade to 0.15.23+ or 0.16.6+

For more information

If you have any questions or comments about this advisory:

Open an issue in Github
Chat to us on Gitter

Ссылки

Пакеты

Наименование

tortoise-orm

pip

Затронутые версииВерсия исправления

< 0.15.23

0.15.23

Наименование

tortoise-orm

pip

Затронутые версииВерсия исправления

>= 0.16.0, < 0.16.6

0.16.6

EPSS

Процентиль: 47%

0.00245

Низкий

5.3 Medium

CVSS4

6.3 Medium

CVSS3

CVE ID

CVE-2020-11010

Дефекты

CWE-89

Связанные уязвимости

CVE-2020-11010

CVSS3: 6.3

nvd

почти 6 лет назад

In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).

EPSS

Процентиль: 47%

0.00245

Низкий

5.3 Medium

CVSS4

6.3 Medium

CVSS3

CVE ID

CVE-2020-11010

Дефекты

CWE-89