GHSA-9C2P-JW8P-F84V
Vulnerability from github – Published: 2019-02-18 23:54 – Updated: 2023-09-11 21:48
VLAI?
Summary
SQL Injection in sequelize
Details
Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.
Proof of Concept
In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.
Example Query:
database.query('SELECT * FROM TestTable WHERE Name IN (:names)', {
replacements: {
names: directCopyOfUserInput
}
});
If the user inputs the value of :names as:
["test", "'); DELETE TestTable WHERE Id = 1 --')"]
The resulting SQL statement will be:
SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')
As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.
Recommendation
Update to version 3.20.0 or later.
Severity ?
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.19.3"
},
"package": {
"ecosystem": "npm",
"name": "sequelize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-10556"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:28:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of `sequelize` cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.\n\n\n## Proof of Concept\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.\n\nExample Query:\n```\ndatabase.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, {\n replacements: {\n names: directCopyOfUserInput\n }\n});\n```\n\nIf the user inputs the value of `:names` as:\n```\n[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]\n```\n\nThe resulting SQL statement will be:\n```sql\nSELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\n```\nAs the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.\n\n\n## Recommendation\n\nUpdate to version 3.20.0 or later.",
"id": "GHSA-9c2p-jw8p-f84v",
"modified": "2023-09-11T21:48:29Z",
"published": "2019-02-18T23:54:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10556"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/issues/5671"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34\u0026branch=v3.20.0\u0026qualified_name=refs%2Ftags%2Fv3.20.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SQL Injection in sequelize"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…