CVE-2023-22579
CRITICAL9.9EPSS 0.40%Unsafe fall-through in getWhereConditions
描述
### Impact Providing an invalid value to the `where` option of a query caused Sequelize to ignore that option instead of throwing an error. A finder call like the following did not throw an error: ```ts User.findAll({ where: new Date(), }); ``` As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option. ### Patches This issue has been patched in [`[email protected]`](https://github.com/sequelize/sequelize/pull/15699) & [`@sequelize/[email protected]`](https://github.com/sequelize/sequelize/pull/15375) ### References A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698 CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
受影響套件(2)
- npm/sequelizefrom 0, < 6.28.1
- npm/@sequelize/corefrom 0, < 7.0.0-alpha.20
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-22579
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://csirt.divd.nl/CVE-2023-22579
- WEBhttps://csirt.divd.nl/DIVD-2022-00020
- WEBhttps://github.com/sequelize/sequelize/discussions/15698
- WEBhttps://github.com/sequelize/sequelize/pull/15375
- WEBhttps://github.com/sequelize/sequelize/pull/15699
- WEBhttps://github.com/sequelize/sequelize/releases/tag/v6.28.1
- WEBhttps://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
- WEBhttps://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95