CVE-2012-0805
sqlalchemy - missing input sanitization
9.8
CRITICAL
CVSS 3.1
EPSS 2.2%
Description
Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function.
How to fix CVE-2012-0805
To remediate CVE-2012-0805, upgrade the affected package to a fixed version below.
- —upgrade to 0.6.7-1 or later
- —upgrade to 0.6.3-3+squeeze1 or later
- —upgrade to 0.7.0b4 or later
- —upgrade to 0.7.0 or later
Is CVE-2012-0805 being exploited?
Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 0.6.7-1
- from 0, < 0.6.3-3+squeeze1
- from 0, < 0.7.0b4
- from 0, < 0.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |