Closed
Description
CVE-2019-15562 references github.com/jinzhu/gorm, which may be a Go module.
Description:
** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-15562
- web: https://github.com/jinzhu/gorm/releases/tag/v1.9.10
- fix: Fix #2517 : Check for incomplete parentheses to prevent SQL injection. go-gorm/gorm#2519
- fix: Revert check for incomplete parentheses go-gorm/gorm#2674
- report: SQL injection in Gorm With using first and find. go-gorm/gorm#2517 (comment)
- Imported by: https://pkg.go.dev/github.com/jinzhu/gorm?tab=importedby
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/jinzhu/gorm
vulnerable_at: 1.9.16
packages:
- package: n/a
cves:
- CVE-2019-15562
references:
- web: https://github.com/jinzhu/gorm/releases/tag/v1.9.10
- fix: https://github.com/go-gorm/gorm/pull/2519
- fix: https://github.com/go-gorm/gorm/pull/2674
- report: https://github.com/go-gorm/gorm/issues/2517#issuecomment-638145427