Lucene search
GoogleOSV:GHSA-M9JW-237R-GVFVHistoryOct 25, 2019 - 7:43 p.m.
SQL Injection in sequelize
2019-10-2519:43:16
Google
osv.dev
9
EPSS
0.002
Percentile
61.1%
Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:
return User.findAll({
where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});
Recommendation
If you are using sequelize 5.x, upgrade to version 5.15.1 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.
References
github.com/sequelize/sequelize/commit/9bd0bc1,
github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e
github.com/sequelize/sequelize/pull/11329
nvd.nist.gov/vuln/detail/CVE-2019-10752
snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
snyk.io/vuln/SNYK-JS-SEQUELIZE-459751,
www.npmjs.com/advisories/1146
Related
cve
cve
CVE-2019-10752
2019-10-17 19:15:10
github
github
SQL Injection in sequelize
2019-10-25 19:43:16
nodejs
nodejs
SQL Injection
2019-09-05 20:26:35
veracode
veracode
SQL Injection
2019-10-18 05:34:12
osv
osv
CVE-2019-10752
2019-10-17 19:15:00
nvd
nvd
CVE-2019-10752
2019-10-17 19:15:10
prion
prion
Sql injection
2019-10-17 19:15:00
cvelist
cvelist
CVE-2019-10752
2019-10-17 18:12:43