Description
SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been patched in version 2.2. There is no workaround for the problem.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zopefoundation/Products.SQLAlchemyDA/security/advisories/GHSA-r3jc-3qmm-w3pw
Scores
CVSS v3
9.8
EPSS
0.0085
EPSS Percentile
74.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
pypi/Products.SQLAlchemyDA
0 - 2.2PyPI
zope/sqlalchemyda
< 2.2
Published
Feb 07, 2024
Tracked Since
Feb 18, 2026