CVE-2019-11069
HIGH7.5EPSS 0.27%SQL Injection in sequelize
Published: 4/11/2019Modified: 11/20/2023
Also known as:GHSA-2777-2vq8-c4v4
Description
Versions of `sequelize` prior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. PostgreSQL option`standard_conforming_strings` is not set to `on` by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. ## Recommendation Upgrade to version 5.3.0 or later.
Affected packages (1)
- npm/sequelize>= 5.0.0, < 5.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11069
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160
- WEBhttps://github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9
- WEBhttps://github.com/sequelize/sequelize/pull/10746
- WEBhttps://github.com/sequelize/sequelize/pull/10746/files
- WEBhttps://github.com/sequelize/sequelize/releases/tag/v5.3.0
- WEBhttps://snyk.io/vuln/SNYK-JS-SEQUELIZE-174167