Lucene search
Leibale EidelmanNODEJS:102HistoryApr 18, 2016 - 9:16 p.m.
SQL Injection
2016-04-1821:16:04
Leibale Eidelman
www.npmjs.com
25
0.001 Low
EPSS
Percentile
41.9%
Overview
Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.
Proof of Concept
In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.
Example Query:
database.query('SELECT * FROM TestTable WHERE Name IN (:names)', {
replacements: {
names: directCopyOfUserInput
}
});
If the user inputs the value of :names as:
["test", "'); DELETE TestTable WHERE Id = 1 --')"]
The resulting SQL statement will be:
SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')
As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.
Recommendation
Update to version 3.20.0 or later.
References
Related
cvelist
cvelist
CVE-2016-10556
2018-04-26 00:00:00
nvd
nvd
CVE-2016-10556
2018-05-29 20:29:00
cve
cve
CVE-2016-10556
2018-05-29 20:29:00
github
github
SQL Injection in sequelize
2019-02-18 23:54:24
prion
prion
Sql injection
2018-05-29 20:29:00
osv
osv
CVE-2016-10556
2018-05-29 20:29:00
SQL Injection in sequelize
2019-02-18 23:54:24