fix: correct GHSA-887w-45rq-vxgf sqlalchemy fixed version 1.2.18 -> 1.3.0b1#7486
Conversation
….3.0b1 (no 1.2.x backport)
github-actions
Bot
changed the base branch from
main
to
DEVSOG12/advisory-improvement-7486
There was a problem hiding this comment.
Pull request overview
Updates the OSV advisory for GHSA-887w-45rq-vxgf / CVE-2019-7164 to reflect that the SQL injection fix was not actually present in the SQLAlchemy 1.2.x line, adjusting the “fixed” version boundary and clarifying the advisory text accordingly.
Changes:
- Updates the advisory
detailsto explain the missing backport and required upgrade path. - Adjusts the PyPI ECOSYSTEM range “fixed” version for the 1.2.x line.
- Bumps the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "schema_version": "1.4.0", | ||
| "id": "GHSA-887w-45rq-vxgf", | ||
| "modified": "2024-10-28T14:20:14Z", | ||
| "modified": "2026-04-22T00:00:00Z", |
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.2.18" | ||
| "fixed": "1.3.0b1" | ||
| } |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| ], | ||
| "summary": "SQLAlchemy vulnerable to SQL Injection via order_by parameter", | ||
| "details": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.", | ||
| "details": "SQLAlchemy through 1.2.18 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was never backported to the 1.2.x release branch; users on 1.2.x must upgrade to 1.3.0b3 or later.", |
|
Strange: this CVE was not reported as fixed from v1.2.18 until commit 41214dc landed. I'll file an issue here about that - it seems like it was some kind of regression in the advisory metadata. |
Addresses review feedback: 1.3.0b1 is itself vulnerable (fixed in first range at 1.3.0b3), so setting fixed=1.3.0b1 in the second range would mislead tooling. Collapsing into a single range with fixed=1.3.0b3 is correct and unambiguous.
|
Thanks @jayaddison, good catch, and Copilot's review was spot on here. I've pushed a fix commit. |
|
You're welcome; thanks @DEVSOG12 |
advisory-database
Bot
merged commit 0cd8cac
into
github:DEVSOG12/advisory-improvement-7486
|
Hi @DEVSOG12! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
git merge-base --is-ancestor 30307c4616ad67c01ddae2e1e8e34fabf6028414 rel_1_2_18returns false — the fix commit was never backported to the 1.2.x release branch. The PyPI artifact for SQLAlchemy 1.2.18 shipslib/sqlalchemy/sql/compiler.pybyte-identical to the pre-fix state. The entire 1.2.x series remains vulnerable.The fix only exists on the main branch starting at 1.3.0b3. The 1.3.0b1-1.3.0b2 range (already correctly marked as affected) is unchanged.
Change: second ECOSYSTEM range
fixed: "1.2.18"->fixed: "1.3.0b1", meaning users on any 1.2.x version must upgrade to 1.3.x to get the fix. Updated details text to reflect this.Opened on behalf of the SQLAlchemy maintainers (@CaselIT, @zzzeek) per sqlalchemy/sqlalchemy#13252 (comment)