Veracode Vulnerability DatabaseVERACODE:47166

HistoryMay 24, 2024 - 8:27 a.m.

SQL Injection

2024-05-2408:27:02

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pymysql

sql injection

vulnerability

json sanitization

arbitrary sql

untrusted input

security

8.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

PyMySQL is vulnerable to SQL Injection. The vulnerability is due to improper JSON sanitization within the escape_dict function, which allows an attacker execute arbitrary SQL if an application handles untrusted JSON user input.

CPENameOperatorVersion
pymysqlle1.1.0
pymysqlle1.1.0

CPE	Name	Operator	Version
	pymysql	le	1.1.0
	pymysql	le	1.1.0

References

github.com/advisories/GHSA-v9hf-5j83-6xpp

github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c

github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1

lists.debian.org/debian-lts-announce/2024/05/msg00017.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/

SQL Injection

References

Related