Lucene search

GitHub Advisory DatabaseGHSA-8C25-F3MJ-V6H8

HistoryFeb 16, 2023 - 3:30 p.m.

Sequelize information disclosure vulnerability

2023-02-1615:30:28

CWE-200

GitHub Advisory Database

github.com

sequelize

information disclosure

vulnerability

input filtering

sensitive information

malicious queries

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

44.1%

JSON

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

Affected configurations

Vulners

Node

sequelizecoreRange<7.0.0-alpha.20

sequelize_projectsequelizeRange<6.28.1

CPENameOperatorVersion
@sequelize/corelt7.0.0-alpha.20
sequelizelt6.28.1

CPE	Name	Operator	Version
	@sequelize/core	lt	7.0.0-alpha.20
	sequelize	lt	6.28.1

References

csirt.divd.nl/CVE-2023-22580

csirt.divd.nl/DIVD-2022-00020/

github.com/advisories/GHSA-8c25-f3mj-v6h8

github.com/sequelize/sequelize/pull/15375

github.com/sequelize/sequelize/pull/15699

github.com/sequelize/sequelize/releases/tag/v6.28.1

github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20

nvd.nist.gov/vuln/detail/CVE-2023-22580

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

44.1%

JSON

Related for GHSA-8C25-F3MJ-V6H8