GHSA-2777-2vq8-c4v4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2777-2vq8-c4v4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-2777-2vq8-c4v4/GHSA-2777-2vq8-c4v4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2777-2vq8-c4v4
- Aliases
- Published
- 2019-04-11T16:33:17Z
- Modified
- 2023-11-20T22:07:00Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- SQL Injection in sequelize
- Details
-
Versions of
sequelizeprior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. PostgreSQL optionstandard_conforming_stringsis not set toonby default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals.Recommendation
Upgrade to version 5.3.0 or later.
- Database specific
{ "nvd_published_at": "2019-04-10T21:29:01Z", "severity": "HIGH", "github_reviewed_at": "2020-06-16T20:51:40Z", "github_reviewed": true, "cwe_ids": [ "CWE-20" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-11069
- https://github.com/sequelize/sequelize/pull/10746
- https://github.com/sequelize/sequelize/pull/10746/files
- https://github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9
- https://github.com/sequelize/sequelize
- https://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160
- https://github.com/sequelize/sequelize/releases/tag/v5.3.0
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-174167
Affected packages
npm / sequelize
Package
- Name
- sequelize
- View open source insights on deps.dev
- Purl
- pkg:npm/sequelize