CVE-2016-10554

Опубликовано: 31 мая 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.

Ссылки

https://github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d
Patch
Third Party Advisory
https://nodesecurity.io/advisories/113
Patch
Third Party Advisory
https://github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d
Patch
Third Party Advisory
https://nodesecurity.io/advisories/113
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*

Версия до 1.6.0 (включая)

cpe:2.3:a:sequelizejs:sequelize:1.7.0:alpha1:*:*:*:node.js:*:*

cpe:2.3:a:sequelizejs:sequelize:1.7.0:alpha2:*:*:*:node.js:*:*

EPSS

Процентиль: 65%

0.00486

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-x2jc-pwfj-h9p3

github

почти 7 лет назад

SQL Injection in sequelize