CVE-2020-11010: SQL injection in Tortoise ORM
(updated )
Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields.
SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)
References
- github.com/advisories/GHSA-9j2c-x8qm-qmjq
- github.com/pypa/advisory-database/tree/main/vulns/tortoise-orm/PYSEC-2020-144.yaml
- github.com/tortoise/tortoise-orm
- github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3
- github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjq
- nvd.nist.gov/vuln/detail/CVE-2020-11010
Detect and mitigate CVE-2020-11010 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →