Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcTlwLXBjM3AtOWhtNM4ABCt3
python-sql SQL injection vulnerability
A vulnerability was found in python-sql where unary operators do not escape non-Expression (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcTlwLXBjM3AtOWhtNM4ABCt3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 13 days ago
Updated: 2 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.10932
Identifiers: GHSA-pq9p-pc3p-9hm4, CVE-2024-9774
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9774
- https://discuss.tryton.org/t/security-release-for-issue-93/7889/3
- https://lists.debian.org/debian-lts-announce/2024/10/msg00023.html
- https://bugs.tryton.org/python-sql/93
- https://discuss.tryton.org/t/security-release-for-issue-93/7889
- https://foss.heptapod.net/tryton/python-sql/-/commit/f20551bbb8b3b4c4dd0a2c3d36f377bff6f2f349
- https://bugzilla.redhat.com/show_bug.cgi?id=2332734
- https://github.com/advisories/GHSA-pq9p-pc3p-9hm4
Affected Packages
pypi:python-sql
Dependent packages: 75Dependent repositories: 110
Downloads: 42,330 last month
Affected Version Ranges: < 1.5.2
Fixed in: 1.5.2
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1
All unaffected versions: 1.5.2