GHSA-9c2p-jw8p-f84v

Suggest an improvement
Source
https://github.com/advisories/GHSA-9c2p-jw8p-f84v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-9c2p-jw8p-f84v/GHSA-9c2p-jw8p-f84v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9c2p-jw8p-f84v
Aliases
Published
2019-02-18T23:54:24Z
Modified
2023-11-08T03:58:12.386286Z
Severity
  • CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
SQL Injection in sequelize
Details

Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.

Proof of Concept

In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.

Example Query:

database.query('SELECT * FROM TestTable WHERE Name IN (:names)', {
  replacements: {
    names: directCopyOfUserInput
  }
});

If the user inputs the value of :names as:

["test", "'); DELETE TestTable WHERE Id = 1 --')"]

The resulting SQL statement will be:

SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')

As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.

Recommendation

Update to version 3.20.0 or later.

References

Affected packages

npm / sequelize

Package

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
3.20.0

Database specific

{
    "last_known_affected_version_range": "<= 3.19.3"
}