CVE-2019-10757 – knex

Package

Manager: npm
Name: knex
Vulnerable Version: >=0 <0.19.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00281 pctl0.51042

Details

SQL Injection in knex knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

Metadata

Created: 2019-10-21T16:12:13Z
Modified: 2021-08-18T21:50:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-58v4-qwx5-7f59/GHSA-58v4-qwx5-7f59.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-58v4-qwx5-7f59
Finding: F297
Auto approve: 1