CVE-2019-10748 – sequelize

Package

Manager: npm
Name: sequelize
Vulnerable Version: >=0 <3.35.1 || >=4.0.0 <4.44.3 || >=5.0.0 <5.8.11

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00427 pctl0.61607

Details

SQL Injection in sequelize Affected versions of `sequelize` are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. ## Recommendation If you are using `sequelize` 5.x, upgrade to version 5.8.11 or later. If you are using `sequelize` 4.x, upgrade to version 4.44.3 or later. If you are using `sequelize` 3.x, upgrade to version 3.35.1 or later.

Metadata

Created: 2019-11-06T17:11:10Z
Modified: 2021-08-18T22:09:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-j9xp-92vc-559j/GHSA-j9xp-92vc-559j.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-j9xp-92vc-559j
Finding: F297
Auto approve: 1