Cédric Krier has found that python-sql does not escape non-Expression for unary operators (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Confidentiality: High
- Integrity: Low
- Availability: Low
Workaround
There is no known workaround.
Resolution
All affected users should upgrade python-sql to the latest version.
Affected versions: <= 1.5.1
Non affected versions: >= 1.5.2
Reference
Concerns?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/python-sql with the confidential checkbox checked.