[tryton-announces] Security Release for issue #93

[News - Tryton Discussion: ced]

Security Release for issue #93 Cédric Krier has found that python-sql does not escape non-_expression_ for unary operators (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack. Impact CVSS v3.0 Base Score: 9.1 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: Low Availability: Low Workaround There is no known workaround. Resolution All affected users should upgrade python-sql to the latest version. Affected versions: <= 1.5.1 Non affected versions: >= 1.5.2 Reference Unary operators does not escape non-_expression_ (#93) · Issues · Tryton / python-sql · GitLab Concerns? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/python-sql with the confidential checkbox checked. 3 posts - 3 participants Read full topic URL: https://discuss.tryton.org/t/security-release-for-issue-93/7889