CVE-2020-11010

Summary

In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).

Affected Software

VendorProductVersion RangeStatus
tortoisetortoise-orm< 0.15.23affected
tortoisetortoise-orm>= 0.16.0, < 0.16.6affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CVE Program Container

Additional References

References