GHSA-58v4-qwx5-7f59

Suggest an improvement
Source
https://github.com/advisories/GHSA-58v4-qwx5-7f59
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-58v4-qwx5-7f59/GHSA-58v4-qwx5-7f59.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-58v4-qwx5-7f59
Aliases
Published
2019-10-21T16:12:13Z
Modified
2025-01-14T07:14:15.387450Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SQL Injection in knex
Details

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

Database specific 
{
    "nvd_published_at": "2019-10-08T20:15:00Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2019-10-17T17:36:46Z",
    "github_reviewed": true
}
References

Affected packages

npm / knex

Package

Name
knex
View open source insights on deps.dev
Purl
pkg:npm/knex

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.19.5