Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlqMmMteDhxbS1xbWpx
SQL injection in Tortoise ORM
Impact
Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields.
SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)
Patches
Please upgrade to 0.15.23+ or 0.16.6+
For more information
If you have any questions or comments about this advisory:
Permalink: https://github.com/advisories/GHSA-9j2c-x8qm-qmjqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlqMmMteDhxbS1xbWpx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: 2 months ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Percentage: 0.00104
EPSS Percentile: 0.43511
Identifiers: GHSA-9j2c-x8qm-qmjq, CVE-2020-11010
References:
- https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjq
- https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3
- https://nvd.nist.gov/vuln/detail/CVE-2020-11010
- https://github.com/pypa/advisory-database/tree/main/vulns/tortoise-orm/PYSEC-2020-144.yaml
- https://github.com/advisories/GHSA-9j2c-x8qm-qmjq
Blast Radius: 18.6
Affected Packages
pypi:tortoise-orm
Dependent packages: 66Dependent repositories: 892
Downloads: 176,998 last month
Affected Version Ranges: >= 0.16.0, < 0.16.6, < 0.15.23
Fixed in: 0.16.6, 0.15.23
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.4, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.13.11, 0.13.12, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.15.10, 0.15.11, 0.15.12, 0.15.13, 0.15.14, 0.15.15, 0.15.16, 0.15.17, 0.15.18, 0.15.19, 0.15.20, 0.15.21, 0.15.22, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5
All unaffected versions: 0.15.23, 0.15.24, 0.16.6, 0.16.7, 0.16.8, 0.16.9, 0.16.10, 0.16.11, 0.16.12, 0.16.13, 0.16.14, 0.16.15, 0.16.16, 0.16.17, 0.16.18, 0.16.19, 0.16.20, 0.16.21, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.21.6, 0.21.7, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0