SQL Injection in Sqlalchemy

CVE-2012-0805

Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to th…

Vulnerability class: SQL Injection

EPSS: 0.016 (82.4th percentile) — read the EPSS interpretation.

Affected products

Sqlalchemy — versions 0.6.0, 0.6.1, 0.6.2
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

sqlalchemy-select-sql-injection(73756) (vdb-entry, x_refsource_XF)
MDVSA-2012:059 (vendor-advisory, x_refsource_MANDRIVA)
secalert@redhat.com (x_refsource_MISC)
secalert@redhat.com (x_refsource_CONFIRM, Exploit, Patch)
DSA-2449 (vendor-advisory, x_refsource_DEBIAN)
secalert@redhat.com (x_refsource_CONFIRM)
48771 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
48328 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
48327 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
RHSA-2012:0369 (x_refsource_REDHAT, vendor-advisory)