CVE-2019-7164 SQLAlchemy order_by Parameter SQL Injection Vulnerability – Feb 2019

Preface: SQLAlchemy is an open-source SQL toolkit and object-relational mapper (ORM) for the Python programming language released under the MIT License.

Who is their customer?
SQLAlchemy is used by organizations such as:
Yelp!
reddit
DropBox
The OpenStack Project
Survey Monkey

Modern programming languages are almost all object-oriented. While most object-oriented languages offer developer benefits such as componentization of code, ease of maintenance, possibility of reuse. This is the fact that they need for an OR mapper.

Vulnerability detail: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

Remedy:
SQLAlchemy has released a software updates at the following link:

https://github.com/sqlalchemy/sqlalchemy/releases