GHSA-vqfx-gj96-3w95
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vqfx-gj96-3w95
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vqfx-gj96-3w95/GHSA-vqfx-gj96-3w95.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vqfx-gj96-3w95
- Aliases
- Published
- 2023-02-23T16:58:56Z
- Modified
- 2023-11-08T04:11:37.032048Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Unsafe fall-through in getWhereConditions
- Details
-
Impact
Providing an invalid value to the
whereoption of a query caused Sequelize to ignore that option instead of throwing an error.A finder call like the following did not throw an error:
User.findAll({ where: new Date(), });As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.
Patches
This issue has been patched in
sequelize@6.28.1&@sequelize/core@7.0.0.alpha-20References
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698
CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
- References
-
- https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95
- https://nvd.nist.gov/vuln/detail/CVE-2023-22579
- https://github.com/sequelize/sequelize/pull/15375
- https://github.com/sequelize/sequelize/pull/15699
- https://csirt.divd.nl/CVE-2023-22579
- https://csirt.divd.nl/DIVD-2022-00020
- https://github.com/sequelize/sequelize
- https://github.com/sequelize/sequelize/discussions/15698
- https://github.com/sequelize/sequelize/releases/tag/v6.28.1
- https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
Affected packages
npm / sequelize
Package
- Name
- sequelize
- View open source insights on deps.dev
- Purl
- pkg:npm/sequelize
npm / @sequelize/core
Package
- Name
- @sequelize/core
- View open source insights on deps.dev
- Purl
- pkg:npm/%40sequelize/core