Lucene search
UnknownNODEJS:1146HistorySep 05, 2019 - 8:26 p.m.
SQL Injection
2019-09-0520:26:35
Unknown
www.npmjs.com
12
EPSS
0.002
Percentile
61.1%
Overview
Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:
where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});```
## Recommendation
If you are using `sequelize` 5.x, upgrade to version 5.15.1 or later.
If you are using `sequelize` 4.x, upgrade to version 4.44.3 or later.
## References
- [GitHub PR](https://github.com/sequelize/sequelize/pull/11329)
- [Snyk Report](https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751)
- [GitHub Advisory](https://github.com/advisories/GHSA-m9jw-237r-gvfv)Related
osv
osv
SQL Injection in sequelize
2019-10-25 19:43:16
CVE-2019-10752
2019-10-17 19:15:00
veracode
veracode
SQL Injection
2019-10-18 05:34:12
nvd
nvd
CVE-2019-10752
2019-10-17 19:15:10
cve
cve
CVE-2019-10752
2019-10-17 19:15:10
github
github
SQL Injection in sequelize
2019-10-25 19:43:16
prion
prion
Sql injection
2019-10-17 19:15:00
cvelist
cvelist
CVE-2019-10752
2019-10-17 18:12:43