Skip to content

SQL injection in Tortoise ORM

Moderate severity GitHub Reviewed Published Apr 18, 2020 in tortoise/tortoise-orm • Updated Jan 9, 2023

Package

pip tortoise-orm (pip)

Affected versions

< 0.15.23
>= 0.16.0, < 0.16.6

Patched versions

0.15.23
0.16.6

Description

Impact

Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields.
SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)

Patches

Please upgrade to 0.15.23+ or 0.16.6+

For more information

If you have any questions or comments about this advisory:

References

@grigi grigi published to tortoise/tortoise-orm Apr 18, 2020
Reviewed Apr 20, 2020
Published to the GitHub Advisory Database Apr 20, 2020
Last updated Jan 9, 2023

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS score

0.104%
(43rd percentile)

Weaknesses

CVE ID

CVE-2020-11010

GHSA ID

GHSA-9j2c-x8qm-qmjq

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.