Lucene search

GoogleOSV:GHSA-8C25-F3MJ-V6H8

HistoryFeb 16, 2023 - 3:30 p.m.

Sequelize information disclosure vulnerability

2023-02-1615:30:28

Google

osv.dev

sequelize

input filtering

information disclosure

library

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.1%

JSON

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

CPENameOperatorVersion
@sequelize/corelt7.0.0-alpha.20
sequelizelt6.28.1

CPE	Name	Operator	Version
	@sequelize/core	lt	7.0.0-alpha.20
	sequelize	lt	6.28.1

References

csirt.divd.nl/CVE-2023-22580

csirt.divd.nl/DIVD-2022-00020

github.com/sequelize/sequelize

github.com/sequelize/sequelize/pull/15375

github.com/sequelize/sequelize/pull/15699

github.com/sequelize/sequelize/releases/tag/v6.28.1

github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20

nvd.nist.gov/vuln/detail/CVE-2023-22580

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.1%

JSON

Related for OSV:GHSA-8C25-F3MJ-V6H8