CVE-2023-22578

CRITICAL10.0EPSS 0.18%

Sequelize - Default support for “raw attributes” when using parentheses

發布日:2023/2/24修改日:2023/11/8

描述

### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ```ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ``` Produced ```sql SELECT count(id) AS "count" FROM "users" ``` ### Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [`@sequelize/[email protected]`](https://github.com/sequelize/sequelize/pull/15374) and [`[email protected]`](https://github.com/sequelize/sequelize/pull/15710). In Sequelize 7, it now produces the following: ```sql SELECT "count(id)" AS "count" FROM "users" ``` In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information. ### Mitigations Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first. --- A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

受影響套件(2)

npm/sequelizefrom 0, < 6.29.0
npm/@sequelize/corefrom 0, < 7.0.0-alpha.20

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

描述

受影響套件(2)

CVSS 分數

參考連結(9)