10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
51.7%
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
User.findAll({
attributes: [
['count(id)', 'count']
]
});
Produced
SELECT count(id) AS "count" FROM "users"
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in @sequelize/[email protected]
and [email protected]
.
In Sequelize 7, it now produces the following:
SELECT "count(id)" AS "count" FROM "users"
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include ()
without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes
property of your model first.
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694
CVE: CVE-2023-22578
CPE | Name | Operator | Version |
---|---|---|---|
sequelize | lt | 6.29.0 | |
@sequelize/core | lt | 7.0.0-alpha.20 |
csirt.divd.nl/CVE-2023-22578
csirt.divd.nl/DIVD-2022-00020
github.com/sequelize/sequelize
github.com/sequelize/sequelize/discussions/15694
github.com/sequelize/sequelize/pull/15710
github.com/sequelize/sequelize/releases/tag/v6.29.0
github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx
nvd.nist.gov/vuln/detail/CVE-2023-22578