CVE-2020-11010
Last modified
CVE-2020-11010 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).. EPSS estimates a 1.04% chance of exploitation in the next 30 days.
Description
In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Tortoise Orm Project | Tortoise Orm | < 0.15.23 |
| Tortoise Orm Project | Tortoise Orm | >= 0.16.0, < 0.16.6 |
References
- https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3Patch, Third Party Advisory
- https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjqThird Party Advisory
- https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3Patch, Third Party Advisory
- https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjqThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-11010?
How severe is CVE-2020-11010?
How do I fix CVE-2020-11010?
Are you affected by CVE-2020-11010?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST