Version 2.0.36
SQLAlchemy
Database Abstraction Library
Install Instructions
pip install SQLAlchemy
Current Version Release Date October 16, 2024
Language Python
Package URL (purl) pkg:pip/SQLAlchemy@2.0.36
Find SQLAlchemy vulnerabilities in your supply chain.
SQLAlchemy Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2019-7164 | High 9.8 | CWE-89 | 0.01888 | 0.88926 |
|
| CVE-2019-7548 | High 7.8 | CWE-89 | 0.00244 | 0.65151 |
|
| CVE-2012-0805 | High 7.5 | CWE-89 | 0.0038 | 0.73644 |
|
SQLAlchemy Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2019-7548 | SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. | 1.3.0b3, 1.3.0b1, 1.3.0b2, 1.2.0, 1.2.0b3, 1.2.0b2, 1.2.0b1, 1.1.0 (Show all) | Patch → 1.3.0 |
| CVE-2019-7164 | SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. | 1.3.0b3, 1.3.0b1, 1.3.0b2, 1.2.0, 1.2.0b3, 1.2.0b2, 1.2.0b1, 1.1.0 (Show all) | Patch → 1.3.0 |
| CVE-2012-0805 | Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function. | 0.6.0, 0.6beta3, 0.6beta2, 0.6beta1, 0.5.0, 0.5.0rc4, 0.5.0rc3, 0.5.0rc2 (Show all) | Major → 1.2.18 |
Instantly see if these SQLAlchemy vulnerabilities affect your code.
Dependencies
Packages using versions of SQLAlchemy affected by its vulnerabilities
| Dependent Packages |
|---|
| importlib-metadata; python_version < "3.8" |
| greenlet!=0.4.17; python_version < "3.13" and (platform_machine == "aarch64" or (platform_machine == "ppc64le" or (platform_machine == "x86_64" or (platform_machine == "amd64" or (platform_machine == "AMD64" or (platform_machine == "win32" or platform_machine == "WIN32")))))) |
| typing-extensions>=4.6.0 |
| greenlet!=0.4.17; extra == "asyncio" |
| mypy>=0.910; extra == "mypy" |
| pyodbc; extra == "mssql" |
| pymssql; extra == "mssql-pymssql" |
| pyodbc; extra == "mssql-pyodbc" |
| mysqlclient>=1.4.0; extra == "mysql" |
| mysql-connector-python; extra == "mysql-connector" |
| mariadb!=1.1.10,!=1.1.2,!=1.1.5,>=1.0.1; extra == "mariadb-connector" |
| cx_oracle>=8; extra == "oracle" |
| oracledb>=1.0.1; extra == "oracle-oracledb" |
| psycopg2>=2.7; extra == "postgresql" |
| pg8000>=1.29.1; extra == "postgresql-pg8000" |
| greenlet!=0.4.17; extra == "postgresql-asyncpg" |
| asyncpg; extra == "postgresql-asyncpg" |
| psycopg2-binary; extra == "postgresql-psycopg2binary" |
| psycopg2cffi; extra == "postgresql-psycopg2cffi" |
| psycopg>=3.0.7; extra == "postgresql-psycopg" |
| psycopg[binary]>=3.0.7; extra == "postgresql-psycopgbinary" |
| pymysql; extra == "pymysql" |
| greenlet!=0.4.17; extra == "aiomysql" |
| aiomysql>=0.2.0; extra == "aiomysql" |
| greenlet!=0.4.17; extra == "aioodbc" |
| aioodbc; extra == "aioodbc" |
| greenlet!=0.4.17; extra == "asyncmy" |
| asyncmy!=0.2.4,!=0.2.6,>=0.2.3; extra == "asyncmy" |
| greenlet!=0.4.17; extra == "aiosqlite" |
| aiosqlite; extra == "aiosqlite" |
| typing_extensions!=3.10.0.1; extra == "aiosqlite" |
| sqlcipher3_binary; extra == "sqlcipher" |