प्लेटफ़ॉर्म
python
घटक
products.sqlalchemyda
में ठीक किया गया
2.2.1
CVE-2024-24811 is a critical SQL Injection vulnerability affecting SQLAlchemyDA versions prior to 2.2. This flaw allows an attacker to execute arbitrary SQL statements against the connected database without authentication. All users of affected versions are vulnerable, and a patch is available in version 2.2.
The impact of this vulnerability is severe. An attacker can leverage SQL Injection to bypass authentication and authorization controls, gaining unauthorized access to sensitive data stored within the database. This could include user credentials, financial information, or other confidential data. Depending on the database schema and permissions, an attacker might also be able to modify or delete data, or even execute operating system commands on the database server. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface.
This vulnerability was publicly disclosed on February 7, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.8 indicates a critical severity, suggesting a high potential for exploitation if left unaddressed. Monitor security advisories and threat intelligence feeds for any updates.
Applications and systems utilizing SQLAlchemyDA versions 2.2 and earlier are at risk. This includes Python applications that rely on SQLAlchemyDA for database interactions, particularly those handling sensitive data or operating in environments with limited security controls. Any system where SQLAlchemyDA is used without proper input validation is potentially vulnerable.
• python / server:
import sqlalchemy
import os
def check_sqlalchemyda_version():
try:
import sqlalchemy_utils
version = sqlalchemy_utils.__version__
print(f"SQLAlchemyDA version: {version}")
if version <= '2.2':
print("VULNERABLE: Upgrade to version 2.3 or later.")
else:
print("Not vulnerable.")
except ImportError:
print("SQLAlchemyDA not installed.")
check_sqlalchemyda_version()disclosure
एक्सप्लॉइट स्थिति
EPSS
0.85% (75% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-24811 is to immediately upgrade to SQLAlchemyDA version 2.2 or later. Since there is no workaround, relying on other security measures is insufficient. Consider implementing strict database access controls and limiting database user privileges to minimize potential damage if the vulnerability is exploited before patching. Regularly review database activity logs for suspicious queries.
Actualice la biblioteca Products.SQLAlchemyDA a la versión 2.2 o superior. Esta versión contiene la corrección de seguridad que evita la ejecución de consultas SQL arbitrarias no autenticadas. Para actualizar, utilice el gestor de paquetes de Python (pip) o el método de instalación correspondiente a su entorno.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-24811 is a critical SQL Injection vulnerability in SQLAlchemyDA versions prior to 2.2, allowing attackers to execute arbitrary SQL commands without authentication.
Yes, if you are using SQLAlchemyDA version 2.2 or earlier, you are affected by this vulnerability. Upgrade immediately.
Upgrade to SQLAlchemyDA version 2.2 or later. There is no workaround for this vulnerability.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but its critical severity warrants immediate attention.
Refer to the SQLAlchemyDA project's official documentation and release notes for the latest information and security advisories: https://github.com/sdispirit/sqlalchemy_utils
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।