Nixpkgs security tracker
Untriaged
alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version 9.1.0.
References
-
https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j x_refsource_CONFIRM
-
https://github.com/alerta/alerta/pull/2040 x_refsource_MISC
-
https://github.com/alerta/alerta/pull/712 x_refsource_MISC
-
https://github.com/alerta/alerta/releases/tag/v9.1.0 x_refsource_MISC
Affected products
alerta
- ==< 9.1.0
Matching in nixpkgs
pkgs.alerta
Alerta Monitoring System command-line interface
pkgs.alerta-server
Alerta Monitoring System server
pkgs.python312Packages.meteoalertapi
Python wrapper for MeteoAlarm.org
pkgs.python313Packages.meteoalertapi
Python wrapper for MeteoAlarm.org
pkgs.python314Packages.meteoalertapi
Python wrapper for MeteoAlarm.org
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>