Vulnerability-Lookup

CVE-2016-10556 (GCVE-0-2016-10556)

Vulnerability from cvelistv5 – Published: 2018-05-29 20:00 – Updated: 2024-09-17 03:47

Summary

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.

Severity ?

No CVSS data available.

CWE

CWE-89 - SQL Injection (CWE-89)

Assigner

hackerone

References

URL

	Vendor	Product	Version
	HackerOne	sequelize node module	Affected: <=3.19.3

CNVD-2018-10673

Vulnerability from cnvd - Published: 2018-05-31

Title

sequelize SQL注入漏洞

Description

sequelize是一个用于Node.js的数据库ORM（对象关系映射）工具。 sequelize 3.19.3及之前版本中存在SQL注入漏洞，该漏洞源于程序将数组用作字符串而却未能正确的对其进行编码。攻击者可利用该漏洞删除TestTable表单中带有1的ID。

Severity

高

Patch Name

sequelize SQL注入漏洞的补丁

Patch Description

sequelize是一个用于Node.js的数据库ORM（对象关系映射）工具。 sequelize 3.19.3及之前版本中存在SQL注入漏洞，该漏洞源于程序将数组用作字符串而却未能正确的对其进行编码。攻击者可利用该漏洞删除TestTable表单中带有1的ID。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/sequelize/sequelize/issues/5671

Reference

https://github.com/sequelize/sequelize/issues/5671

Impacted products

Name
sequelize sequelize <=3.19.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-10556"
    }
  },
  "description": "sequelize\u662f\u4e00\u4e2a\u7528\u4e8eNode.js\u7684\u6570\u636e\u5e93ORM\uff08\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\uff09\u5de5\u5177\u3002\r\n\r\nsequelize 3.19.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06\u6570\u7ec4\u7528\u4f5c\u5b57\u7b26\u4e32\u800c\u5374\u672a\u80fd\u6b63\u786e\u7684\u5bf9\u5176\u8fdb\u884c\u7f16\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5220\u9664TestTable\u8868\u5355\u4e2d\u5e26\u67091\u7684ID\u3002",
  "discovererName": "Leibale Eidelman",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/sequelize/sequelize/issues/5671",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10673",
  "openTime": "2018-05-31",
  "patchDescription": "sequelize\u662f\u4e00\u4e2a\u7528\u4e8eNode.js\u7684\u6570\u636e\u5e93ORM\uff08\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\uff09\u5de5\u5177\u3002\r\n\r\nsequelize 3.19.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06\u6570\u7ec4\u7528\u4f5c\u5b57\u7b26\u4e32\u800c\u5374\u672a\u80fd\u6b63\u786e\u7684\u5bf9\u5176\u8fdb\u884c\u7f16\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5220\u9664TestTable\u8868\u5355\u4e2d\u5e26\u67091\u7684ID\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "sequelize SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "sequelize sequelize \u003c=3.19.3"
  },
  "referenceLink": "https://github.com/sequelize/sequelize/issues/5671",
  "serverity": "\u9ad8",
  "submitTime": "2018-05-31",
  "title": "sequelize SQL\u6ce8\u5165\u6f0f\u6d1e"
}

GSD-2016-10556

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-10556

Aliases

CVE-2016-10556

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-10556",
    "description": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` inside of ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.",
    "id": "GSD-2016-10556"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-10556"
      ],
      "details": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` inside of ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.",
      "id": "GSD-2016-10556",
      "modified": "2023-12-13T01:21:26.764302Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "DATE_PUBLIC": "2018-04-26T00:00:00",
        "ID": "CVE-2016-10556",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "sequelize node module",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c=3.19.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "HackerOne"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` inside of ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "SQL Injection (CWE-89)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sequelize/sequelize/issues/5671",
            "refsource": "MISC",
            "url": "https://github.com/sequelize/sequelize/issues/5671"
          },
          {
            "name": "https://nodesecurity.io/advisories/102",
            "refsource": "MISC",
            "url": "https://nodesecurity.io/advisories/102"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=3.19.3",
          "affected_versions": "All versions up to 3.19.3",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "sequelize is vulnerable to SQLi allowing attackers to delete data in the `TestTable` table.",
          "fixed_versions": [
            "3.20.0"
          ],
          "identifier": "CVE-2016-10556",
          "identifiers": [
            "CVE-2016-10556"
          ],
          "not_impacted": "All versions after 3.19.3",
          "package_slug": "npm/sequelize",
          "pubdate": "2018-05-29",
          "solution": "Upgrade to version 3.20.0 or above.",
          "title": "SQL Injection",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2016-10556",
            "https://github.com/sequelize/sequelize/issues/5671"
          ],
          "uuid": "6de4acc7-f302-4611-90c5-3b434e5937f1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.19.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2016-10556"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` inside of ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/102",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://nodesecurity.io/advisories/102"
            },
            {
              "name": "https://github.com/sequelize/sequelize/issues/5671",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sequelize/sequelize/issues/5671"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:16Z",
      "publishedDate": "2018-05-29T20:29Z"
    }
  }
}

FKIE_CVE-2016-10556

Vulnerability from fkie_nvd - Published: 2018-05-29 20:29 - Updated: 2024-11-21 02:44

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
support@hackerone.com	https://github.com/sequelize/sequelize/issues/5671	Exploit, Issue Tracking, Third Party Advisory
support@hackerone.com	https://nodesecurity.io/advisories/102	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sequelize/sequelize/issues/5671	Exploit, Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://nodesecurity.io/advisories/102	Third Party Advisory

Impacted products

	Vendor	Product	Version
	sequelizejs	sequelize	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "AD9B58F2-12D2-4285-98F8-D472F30B387B",
              "versionEndIncluding": "3.19.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` inside of ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table."
    },
    {
      "lang": "es",
      "value": "sequelize es un mapeo objeto-relacional, o un \"middleman\", para convertir elementos de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. En Postgres, SQLite y Microsoft SQL Server, hay un problema por el cual los arrays se tratan como cadenas y se escapan incorrectamente. Esto provoca una potencial inyecci\u00f3n SQL en sequelize en versiones 3.19.3 y anteriores, donde un usuario malicioso podr\u00eda colocar `[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]` en ``` database.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, { replacements: { names: directCopyOfUserInput } }); ``` y provocar que la instrucci\u00f3n SQL se convierta en `SELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)`. En Postgres, MSSQL y SQLite, la barra diagonal invertida no tiene un significado especial. Esto provoca que la instrucci\u00f3n elimine todos los ID que tengan un valor de 1 en la tabla TestTable."
    }
  ],
  "id": "CVE-2016-10556",
  "lastModified": "2024-11-21T02:44:16.250",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-05-29T20:29:00.750",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sequelize/sequelize/issues/5671"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://nodesecurity.io/advisories/102"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sequelize/sequelize/issues/5671"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://nodesecurity.io/advisories/102"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-9C2P-JW8P-F84V

Vulnerability from github – Published: 2019-02-18 23:54 – Updated: 2023-09-11 21:48

Summary

SQL Injection in sequelize

Details

Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.

Proof of Concept

In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.

Example Query:

database.query('SELECT * FROM TestTable WHERE Name IN (:names)', {
  replacements: {
    names: directCopyOfUserInput
  }
});

If the user inputs the value of :names as:

["test", "'); DELETE TestTable WHERE Id = 1 --')"]

The resulting SQL statement will be:

SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')

As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.

Recommendation

Update to version 3.20.0 or later.

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.19.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:28:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `sequelize` cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.\n\n\n## Proof of Concept\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.\n\nExample Query:\n```\ndatabase.query(\u0027SELECT * FROM TestTable WHERE Name IN (:names)\u0027, {\n  replacements: {\n    names: directCopyOfUserInput\n  }\n});\n```\n\nIf the user inputs the value of `:names` as:\n```\n[\"test\", \"\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\"]\n```\n\nThe resulting SQL statement will be:\n```sql\nSELECT Id FROM Table WHERE Name IN (\u0027test\u0027, \u0027\\\u0027); DELETE TestTable WHERE Id = 1 --\u0027)\n```\nAs the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.\n\n\n## Recommendation\n\nUpdate to version 3.20.0 or later.",
  "id": "GHSA-9c2p-jw8p-f84v",
  "modified": "2023-09-11T21:48:29Z",
  "published": "2019-02-18T23:54:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10556"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/issues/5671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34\u0026branch=v3.20.0\u0026qualified_name=refs%2Ftags%2Fv3.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SQL Injection in sequelize"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-10556 (GCVE-0-2016-10556)

CNVD-2018-10673

GSD-2016-10556

FKIE_CVE-2016-10556

GHSA-9C2P-JW8P-F84V

Proof of Concept

Recommendation

Tags

Sightings

Nomenclature