Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yM2pjLTNxbW0tdzNwd84AA5JJ
SQLAlchemyDA unauthenticated arbitrary SQL query execution
Impact
The vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to. All users are affected.
Patches
The problem has been patched in version 2.2.
Workarounds
There is no workaround. All users are urged to upgrade to version 2.2
Permalink: https://github.com/advisories/GHSA-r3jc-3qmm-w3pwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yM2pjLTNxbW0tdzNwd84AA5JJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r3jc-3qmm-w3pw, CVE-2024-24811
References:
- https://github.com/zopefoundation/Products.SQLAlchemyDA/security/advisories/GHSA-r3jc-3qmm-w3pw
- https://nvd.nist.gov/vuln/detail/CVE-2024-24811
- https://github.com/zopefoundation/Products.SQLAlchemyDA/commit/e682b99f8406f20bc3f0f2c77153ed7345fd215a
- https://github.com/advisories/GHSA-r3jc-3qmm-w3pw
Blast Radius: 0.0
Affected Packages
pypi:Products.SQLAlchemyDA
Dependent packages: 0Dependent repositories: 1
Downloads: 410 last month
Affected Version Ranges: < 2.2
Fixed in: 2.2
All affected versions: 0.4.0, 0.4.1, 0.5.0, 0.5.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0
All unaffected versions: