Vulnerability Details CVE-2019-15562
GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/go-gorm/gorm/issues/2517#issuecomment-638145427
- https://github.com/go-gorm/gorm/pull/2519
- https://github.com/go-gorm/gorm/pull/2674
- https://github.com/jinzhu/gorm/releases/tag/v1.9.10
- https://github.com/go-gorm/gorm/issues/2517#issuecomment-638145427
- https://github.com/go-gorm/gorm/pull/2519
- https://github.com/go-gorm/gorm/pull/2674
- https://github.com/jinzhu/gorm/releases/tag/v1.9.10
Products affected by CVE-2019-15562
-
cpe:2.3:a:gorm:gorm:1.9.3
-
cpe:2.3:a:gorm:gorm:1.9.4
-
cpe:2.3:a:gorm:gorm:1.9.5
-
cpe:2.3:a:gorm:gorm:1.9.6
-
cpe:2.3:a:gorm:gorm:1.9.7
-
cpe:2.3:a:gorm:gorm:1.9.8