Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Feathers-Sequalize by Feather js

    CVE-2022-2422 (GCVE-0-2022-2422)

    Vulnerability from nvd – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:41
    VLAI
    Title
    Feathers - SQL injection via attribute aliases
    Summary
    Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
    CWE
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    https://csirt.divd.nl/CVE-2022-2422 third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:07.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-2422"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
                }
              ],
              "value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:41:09.960Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-2422"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - SQL injection via attribute aliases",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-2422",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-07-15T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:41:09.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29823 (GCVE-0-2022-29823)

    Vulnerability from nvd – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
    VLAI
    Title
    Feathers - Query “__proto__” is converted to real prototype
    Summary
    Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ("Prototype Pollution")
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    https://csirt.divd.nl/CVE-2022-29823/ third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:33:42.743Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-29823/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
                }
              ],
              "value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\"Prototype Pollution\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:39:49.662Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-29823/"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - Query \u201c__proto__\u201d is converted to real prototype",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-29823",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-04-27T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:39:49.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29822 (GCVE-0-2022-29822)

    Vulnerability from nvd – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
    VLAI
    Title
    Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
    Summary
    Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
    CWE
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/CVE-2022-29822/ third-party-advisory
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:33:42.585Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-29822/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
                }
              ],
              "value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:39:56.587Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-29822/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-29822",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-04-27T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:39:56.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2422 (GCVE-0-2022-2422)

    Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:41
    VLAI
    Title
    Feathers - SQL injection via attribute aliases
    Summary
    Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
    CWE
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    https://csirt.divd.nl/CVE-2022-2422 third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:07.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-2422"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
                }
              ],
              "value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:41:09.960Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-2422"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - SQL injection via attribute aliases",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-2422",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-07-15T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:41:09.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29822 (GCVE-0-2022-29822)

    Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
    VLAI
    Title
    Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
    Summary
    Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
    CWE
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/CVE-2022-29822/ third-party-advisory
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:33:42.585Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-29822/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
                }
              ],
              "value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:39:56.587Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-29822/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-29822",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-04-27T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:39:56.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29823 (GCVE-0-2022-29823)

    Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
    VLAI
    Title
    Feathers - Query “__proto__” is converted to real prototype
    Summary
    Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ("Prototype Pollution")
    Assigner
    References
    URL Tags
    https://csirt.divd.nl/DIVD-2022-00020 third-party-advisory
    https://csirt.divd.nl/CVE-2022-29823/ third-party-advisory
    Impacted products
    Vendor Product Version
    Feather js Feathers-Sequalize Affected: 6.x , < 6.3.4 (custom)
    Create a notification for this product.
    Date Public
    2022-10-24 22:00
    Credits
    Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:33:42.743Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/DIVD-2022-00020"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://csirt.divd.nl/CVE-2022-29823/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Feathers-Sequalize",
              "vendor": "Feather js",
              "versions": [
                {
                  "lessThan": "6.3.4",
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Rinsma (Codean)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Valk (Codean)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Victor Pasman (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            }
          ],
          "datePublic": "2022-10-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
                }
              ],
              "value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\"Prototype Pollution\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:39:49.662Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/DIVD-2022-00020"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2022-29823/"
            }
          ],
          "source": {
            "advisory": "DIVD-2022-00020",
            "discovery": "EXTERNAL"
          },
          "title": "Feathers - Query \u201c__proto__\u201d is converted to real prototype",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2022-29823",
        "datePublished": "2022-10-25T00:00:00.000Z",
        "dateReserved": "2022-04-27T00:00:00.000Z",
        "dateUpdated": "2025-03-11T13:39:49.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }