CVE-2019-7164

Q: How do I fix CVE-2019-7164?

1. Update SQLAlchemy using pip: 'pip install --upgrade sqlalchemy>=1.2.18' or 'pip install --upgrade sqlalchemy>=1.3.0'. 2. Restart all Python applications using SQLAlchemy. 3. Test application functionality after update.

Q: What is the severity of CVE-2019-7164?

CVE-2019-7164 has a CVSS score of 9.8 (CRITICAL). CVE-2019-7164 is a SQL injection vulnerability in SQLAlchemy that allows attackers to inject malicious SQL code via the order_by parameter. This affects applications using SQLAlchemy 1.2.17 and earlier, or 1.3.x through 1.3.0b2, potentially leading to unauthorized data access or manipulation.

9.8 CRITICAL

SQL Injection

📋 TL;DR

CVE-2019-7164 is a SQL injection vulnerability in SQLAlchemy that allows attackers to inject malicious SQL code via the order_by parameter. This affects applications using SQLAlchemy 1.2.17 and earlier, or 1.3.x through 1.3.0b2, potentially leading to unauthorized data access or manipulation.

💻 Affected Systems

Products:

SQLAlchemy

Versions: SQLAlchemy <= 1.2.17, SQLAlchemy 1.3.x through 1.3.0b2

Operating Systems: All operating systems running Python with SQLAlchemy

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must use SQLAlchemy's order_by() method with user-supplied input to be vulnerable. The vulnerability is in the ORM layer itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion, and potential remote code execution depending on database configuration.

🟠

Likely Case

Unauthorized data access, data exfiltration, or data manipulation in vulnerable applications.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, though the vulnerability still exists at the ORM level.

🌐 Internet-Facing: HIGH - Web applications using SQLAlchemy with user-controlled order_by parameters are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via order_by is a well-known attack vector. Exploitation requires user input to reach the vulnerable order_by() method.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SQLAlchemy 1.2.18, SQLAlchemy 1.3.0

Vendor Advisory: https://github.com/sqlalchemy/sqlalchemy/security/advisories/GHSA-4c4g-f62p-6x7m

Restart Required: Yes

Instructions:

1. Update SQLAlchemy using pip: 'pip install --upgrade sqlalchemy>=1.2.18' or 'pip install --upgrade sqlalchemy>=1.3.0'. 2. Restart all Python applications using SQLAlchemy. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of user input for order_by parameters, allowing only whitelisted column names.

Use Parameterized Queries

all

Avoid passing user input directly to order_by(). Instead, use SQLAlchemy's text() with bound parameters or validate input against allowed columns.

🧯 If You Can't Patch

Implement strict input validation for all order_by parameters, allowing only pre-defined column names.
Use web application firewalls (WAF) with SQL injection protection rules to block malicious order_by payloads.

🔍 How to Verify

Check if Vulnerable:

Check SQLAlchemy version in Python: 'python -c "import sqlalchemy; print(sqlalchemy.__version__)"' and compare with affected versions.

Check Version:

python -c "import sqlalchemy; print(sqlalchemy.__version__)"

Verify Fix Applied:

Verify SQLAlchemy version is 1.2.18 or higher, or 1.3.0 or higher using the same command.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries with ORDER BY clauses containing special characters or SQL keywords
Database error logs showing SQL syntax errors from malformed ORDER BY statements

Network Indicators:

HTTP requests with order_by parameters containing SQL injection payloads (e.g., UNION, SELECT, --)

SIEM Query:

source=web_logs AND (order_by="*UNION*" OR order_by="*SELECT*" OR order_by="*--*" OR order_by="*;*")

📊 Metadata

CVE ID: CVE-2019-7164

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 20, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0981 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0984 Third Party Advisory
https://github.com/sqlalchemy/sqlalchemy/issues/4481 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00005.html Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0981 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0984 Third Party Advisory
https://github.com/sqlalchemy/sqlalchemy/issues/4481 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00005.html Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Backports Sle by Opensuse

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Leap by Opensuse

Leap by Opensuse

Sqlalchemy by Sqlalchemy

Sqlalchemy by Sqlalchemy

Sqlalchemy by Sqlalchemy

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation and Sanitization

Use Parameterized Queries

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities