Lucene search

GitHub Advisory DatabaseGHSA-2777-2VQ8-C4V4

HistoryApr 11, 2019 - 4:33 p.m.

SQL Injection in sequelize

2019-04-1116:33:17

CWE-20

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

55.3%

JSON

Versions of sequelize prior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. PostgreSQL optionstandard_conforming_strings is not set to on by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals.

Recommendation

Upgrade to version 5.3.0 or later.

Affected configurations

Vulners

Node

sequelizesequelizeRange<5.3.0

CPENameOperatorVersion
sequelizelt5.3.0

CPE	Name	Operator	Version
	sequelize	lt	5.3.0

References

github.com/advisories/GHSA-2777-2vq8-c4v4

github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160

github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9

github.com/sequelize/sequelize/pull/10746

github.com/sequelize/sequelize/pull/10746/files

github.com/sequelize/sequelize/releases/tag/v5.3.0

nvd.nist.gov/vuln/detail/CVE-2019-11069

snyk.io/vuln/SNYK-JS-SEQUELIZE-174167

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

55.3%

JSON

Related for GHSA-2777-2VQ8-C4V4