CVE-2019-11069
HIGH7.5EPSS 0.27%SQL Injection in sequelize
發布日:2019/4/11修改日:2023/11/20
描述
Versions of `sequelize` prior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. PostgreSQL option`standard_conforming_strings` is not set to `on` by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. ## Recommendation Upgrade to version 5.3.0 or later.
受影響套件(1)
- npm/sequelize>= 5.0.0, < 5.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11069
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160
- WEBhttps://github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9
- WEBhttps://github.com/sequelize/sequelize/pull/10746
- WEBhttps://github.com/sequelize/sequelize/pull/10746/files
- WEBhttps://github.com/sequelize/sequelize/releases/tag/v5.3.0
- WEBhttps://snyk.io/vuln/SNYK-JS-SEQUELIZE-174167