In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing…
GitHub_M·CWE-89·Published 2020-04-20
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
### Impact Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL was only affected when filtering with ``contains``, ``starts_with`` or ``ends_with`` filters (and their case-insensitive counterparts) ### Patches Please upgrade to 0.15.23+ or 0.16.6+ ### For more information If you have any questions or comments about this advisory: * Open an issue in [Github](https://github.com/tortoise/tortoise-orm/issues) * Chat to us on [Gitter](https://gitter.im/tortoise/community)
En Tortoise ORM versiones anteriores a la versión 0.15.23 y 0.16.6, varias formas de inyección SQL han sido encontradas para MySQL y cuando se filtra o realizan actualizaciones masivas en campos char/text. SQLite y PostgreSQL solo están afectados cuando se filtra con los filtros contains, starts_with, o ends_with (y sus homólogos que no distinguen entre mayúsculas y minúsculas).
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.5 | 8.0 | 6.4 | AV:N/AC:L/Au:S/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 8.8 | 2.8 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Primary | cve.org | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | NVD | 6.3 | 2.8 | 3.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | GHSA | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 4.0 | Secondary | GHSA | 5.3 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |