Vulnerability-Lookup

GHSA-98PQ-PMW9-4GPM

Vulnerability from github – Published: 2019-02-18 23:54 – Updated: 2020-08-31 18:11

Summary

SQL Injection in sequelize

Details

Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll.

Recommendation

Update to version 3.17.0 or later.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:27:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `sequelize` are vulnerable to SQL Injection in locations where user input is passed into the `limit` or `order` parameters of `sequelize` query calls, such as `findOne` or `findAll`.\n\n\n\n## Recommendation\n\nUpdate to version 3.17.0 or later.",
  "id": "GHSA-98pq-pmw9-4gpm",
  "modified": "2020-08-31T18:11:11Z",
  "published": "2019-02-18T23:54:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-98pq-pmw9-4gpm"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "SQL Injection in sequelize"
}

CVE-2016-10550 (GCVE-0-2016-10550)

Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-16 23:31

Summary

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.

Severity ?

No CVSS data available.

CWE

CWE-89 - SQL Injection (CWE-89)

Assigner

hackerone

References

URL

Tags

	https://nodesecurity.io/advisories/112	x_refsource_MISC
	https://github.com/sequelize/sequelize/pull/5167/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HackerOne	sequelize node module	Affected: <= 3.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:21:52.228Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/112"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sequelize node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 3.16.0"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "SQL Injection (CWE-89)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-01T14:57:01",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/112"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2016-10550",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "sequelize node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 3.16.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection (CWE-89)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/112",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/112"
            },
            {
              "name": "https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03",
              "refsource": "MISC",
              "url": "https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2016-10550",
    "datePublished": "2018-05-31T20:00:00Z",
    "dateReserved": "2017-10-29T00:00:00",
    "dateUpdated": "2024-09-16T23:31:50.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted