CVE-2015-1369
EPSS 0.36%SQL Injection in sequelize
發布日:2017/10/24修改日:2023/11/8
描述
Versions 2.0.0-rc-7 and earlier of `sequelize` are affected by a SQL injection vulnerability when user input is passed into the order parameter. ## Proof of Concept ```javascript Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] }) ``` ## Recommendation Update to version 2.0.0-rc8 or later
受影響套件(1)
- npm/sequelizefrom 0, < 2.0.0-rc8
參考連結(7)
- ADVISORYhttps://github.com/advisories/GHSA-xqg8-cv3h-xppv
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1369
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://github.com/sequelize/sequelize/issues/2906
- WEBhttps://github.com/sequelize/sequelize/pull/2919
- WEBhttps://www.npmjs.com/advisories/33
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/23/2