GHSA-j9xp-92vc-559j

Suggest an improvement
Source
https://github.com/advisories/GHSA-j9xp-92vc-559j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-j9xp-92vc-559j/GHSA-j9xp-92vc-559j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j9xp-92vc-559j
Aliases
Published
2019-11-06T17:11:10Z
Modified
2024-11-09T01:42:13.734262Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SQL Injection in sequelize
Details

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

If you are using sequelize 5.x, upgrade to version 5.8.11 or later. If you are using sequelize 4.x, upgrade to version 4.44.3 or later. If you are using sequelize 3.x, upgrade to version 3.35.1 or later.

Database specific 
{
    "severity": "CRITICAL",
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2019-11-05T19:59:46Z",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

npm / sequelize

Package

Name
sequelize
View open source insights on deps.dev
Purl
pkg:npm/sequelize

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.35.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-j9xp-92vc-559j/GHSA-j9xp-92vc-559j.json"

npm / sequelize

Package

Name
sequelize
View open source insights on deps.dev
Purl
pkg:npm/sequelize

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.44.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-j9xp-92vc-559j/GHSA-j9xp-92vc-559j.json"

npm / sequelize

Package

Name
sequelize
View open source insights on deps.dev
Purl
pkg:npm/sequelize

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.8.11

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-j9xp-92vc-559j/GHSA-j9xp-92vc-559j.json"