From 36fd98b0502f9b811ca6a00230c7824da7bf119a Mon Sep 17 00:00:00 2001 From: Oreofe Solarin Date: Wed, 22 Apr 2026 13:50:31 -0400 Subject: [PATCH 1/2] fix: correct GHSA-887w-45rq-vxgf sqlalchemy fixed version 1.2.18 -> 1.3.0b1 (no 1.2.x backport) --- .../2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json index 41eb7b4f8de1c..355b5f7b2b564 100644 --- a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json +++ b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-887w-45rq-vxgf", - "modified": "2024-10-28T14:20:14Z", + "modified": "2026-04-22T00:00:00Z", "published": "2019-04-16T15:50:41Z", "aliases": [ "CVE-2019-7164" ], "summary": "SQLAlchemy vulnerable to SQL Injection via order_by parameter", - "details": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.", + "details": "SQLAlchemy through 1.2.18 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was never backported to the 1.2.x release branch; users on 1.2.x must upgrade to 1.3.0b3 or later.", "severity": [ { "type": "CVSS_V3", @@ -51,7 +51,7 @@ "introduced": "0" }, { - "fixed": "1.2.18" + "fixed": "1.3.0b1" } ] } From 9433ba17a7ab27a361bca2cdd27307e3d1b87f0c Mon Sep 17 00:00:00 2001 From: Oreofe Solarin Date: Fri, 24 Apr 2026 07:48:33 -0400 Subject: [PATCH 2/2] fix: collapse ranges into single range with fixed 1.3.0b3 Addresses review feedback: 1.3.0b1 is itself vulnerable (fixed in first range at 1.3.0b3), so setting fixed=1.3.0b1 in the second range would mislead tooling. Collapsing into a single range with fixed=1.3.0b3 is correct and unambiguous. --- .../GHSA-887w-45rq-vxgf.json | 25 +++---------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json index 355b5f7b2b564..46c634bdbe955 100644 --- a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json +++ b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-887w-45rq-vxgf", - "modified": "2026-04-22T00:00:00Z", + "modified": "2026-04-24T15:30:00Z", "published": "2019-04-16T15:50:41Z", "aliases": [ "CVE-2019-7164" ], "summary": "SQLAlchemy vulnerable to SQL Injection via order_by parameter", - "details": "SQLAlchemy through 1.2.18 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was never backported to the 1.2.x release branch; users on 1.2.x must upgrade to 1.3.0b3 or later.", + "details": "SQLAlchemy before 1.3.0b3 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was applied only to the main branch and was never backported to the 1.2.x release line; all 1.2.x versions remain vulnerable.", "severity": [ { "type": "CVSS_V3", @@ -19,25 +19,6 @@ } ], "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "SQLAlchemy" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.3.0b1" - }, - { - "fixed": "1.3.0b3" - } - ] - } - ] - }, { "package": { "ecosystem": "PyPI", @@ -51,7 +32,7 @@ "introduced": "0" }, { - "fixed": "1.3.0b1" + "fixed": "1.3.0b3" } ] }