GHSA-2598-2f59-rmhq

Source

https://github.com/advisories/GHSA-2598-2f59-rmhq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-2598-2f59-rmhq/GHSA-2598-2f59-rmhq.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-2598-2f59-rmhq

Aliases

CVE-2019-10749

Published

2019-11-08T17:05:17Z

Modified

2025-01-08T05:42:12.514732Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SQL Injection in sequelize

Details

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

Upgrade to version 3.35.1 or later.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2019-11-07T23:29:06Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

npm / sequelize

Package

Name: sequelize; View open source insights on deps.dev
Purl: pkg:npm/sequelize

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.35.1