GHSA-2598-2f59-rmhq

Опубликовано: 08 нояб. 2019

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

SQL Injection in sequelize

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

Upgrade to version 3.35.1 or later.

Ссылки

Пакеты

Наименование

sequelize

npm

Затронутые версииВерсия исправления

< 3.35.1

3.35.1

EPSS

Процентиль: 57%

0.00357

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2019-10749

Дефекты

CWE-89

Связанные уязвимости

CVE-2019-10749

CVSS3: 9.8

nvd

больше 6 лет назад

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.

EPSS

Процентиль: 57%

0.00357

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2019-10749

Дефекты

CWE-89