Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI1OTgtMmY1OS1ybWhx

SQL Injection in sequelize

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

Upgrade to version 3.35.1 or later.

Permalink: https://github.com/advisories/GHSA-2598-2f59-rmhq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI1OTgtMmY1OS1ybWhx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: over 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-2598-2f59-rmhq, CVE-2019-10749
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10749
• https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68
• https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222
• https://www.npmjs.com/advisories/1017
• https://github.com/advisories/GHSA-2598-2f59-rmhq

Repository: https://github.com/sequelize/sequelize
Blast Radius: 51.8

Affected Packages