CVE-2019-10749 – sequelize

Package

Manager: npm
Name: sequelize
Vulnerable Version: >=0 <3.35.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00357 pctl0.57251

Details

SQL Injection in sequelize Versions of `sequelize` prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. ## Recommendation Upgrade to version 3.35.1 or later.

Metadata

Created: 2019-11-08T17:05:17Z
Modified: 2021-08-18T22:10:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-2598-2f59-rmhq/GHSA-2598-2f59-rmhq.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-2598-2f59-rmhq
Finding: F297
Auto approve: 1