A vulnerability was found in SQLAlchemy 1.2.17. An SQL Injection when the group_by parameter can be controlled. References: https://github.com/no-security/sqlalchemy_test
Created python-sqlalchemy tracking bugs for this issue: Affects: fedora-all [bug 1674060]
Red Hat OpenStack uses the python-sqlalchemy library and the versions provided contain the vulnerable code. However, the vulnerability is not exposed in a way that would be exploitable within a Red Hat OpenStack installation.
This flaw is related to CVE-2019-7164 (bug 1678520) and is fixed by the same upstream patch. Upstream patch: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
This issue has been rated Moderate because it is not common in SQLAlchemy backed applications for the group_by parameter to be populated by an externally-controlled string. The upstream issue has more discussion about safe use of group_by and order_by.
Hi Hardik - can you please clarify that you are aware of an application that is passing untrusted input to group_by()? Note there are many functions and methods in SQLAlchemy which accept SQL string fragments that are rendered as-is, as they are expected to be just that, SQL fragments.
Hello Michael, No, I looked into calamari-server only. In Ceph, SQLAlchemy is used in calamari server. I can't see any way to exploit the calamari webapp via a web browser in a meaningful way. Marked Ceph as affected based on presence of vulnerable code and positive results from the POC against the bundled version 0.8.3 of python-sqlalchemy. I'll modify the flaw statement accordingly for the Ceph product to be more sensible.
Statement: This issue affects the versions of python-sqlalchemy(bundled in calamari-server) shipped with Red Hat Ceph Storage 2. However, this flaw is not known to be exploitable in any meaningful way within calamari webapp. A future update may address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0981
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0984 https://access.redhat.com/errata/RHSA-2019:0984