CVE-2019-10752 Information

Feb 14, 2021 cve

Description

Sequelize all versions prior to version 4.44.3 and 5.15.1 is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL MariaDB and SQLite.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/sequelize/sequelize/commit/9bd0bc1 https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751 https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: