{"id":"GHSA-pq9p-pc3p-9hm4","summary":"python-sql SQL injection vulnerability","details":"A vulnerability was found in python-sql where unary operators do not escape non-Expression (like `And` and `Or`) which makes any system exposing those vulnerable to an SQL injection attack.","aliases":["CVE-2024-9774"],"modified":"2025-02-07T06:35:43.514326Z","published":"2024-12-27T03:31:23Z","database_specific":{"severity":"MODERATE","nvd_published_at":"2024-12-27T02:15:07Z","github_reviewed":true,"github_reviewed_at":"2024-12-27T18:02:41Z","cwe_ids":["CWE-150"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9774"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-9774"},{"type":"WEB","url":"https://bugs.tryton.org/python-sql/93"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2332734"},{"type":"WEB","url":"https://discuss.tryton.org/t/security-release-for-issue-93/7889"},{"type":"WEB","url":"https://discuss.tryton.org/t/security-release-for-issue-93/7889/3"},{"type":"WEB","url":"https://foss.heptapod.net/tryton/python-sql/-/commit/f20551bbb8b3b4c4dd0a2c3d36f377bff6f2f349"},{"type":"PACKAGE","url":"https://github.com/tryton/python-sql"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00023.html"}],"affected":[{"package":{"name":"python-sql","ecosystem":"PyPI","purl":"pkg:pypi/python-sql"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.2"}]}],"versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.7","0.8","0.9","1.0.0","1.1.0","1.2.0","1.2.1","1.2.2","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.5.0","1.5.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-pq9p-pc3p-9hm4/GHSA-pq9p-pc3p-9hm4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}]}