Sensitive Data Exposure Affecting sequelize-cli package, versions <5.5.0
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SEQUELIZECLI-174320
- published 15 Apr 2019
- disclosed 4 Dec 2018
- credit FelixLC
How to fix?
Upgrade sequelize-cli to version 5.5.0 or higher.
Overview
sequelize-cli is a Command Line Interface (CLI) package version of the Sequelize Object Relational Mapping (ORM) platform.
Affected versions of this package are vulnerable to Sensitive Data Exposure. The filteredUrl function in sequelize-cli does not escape the config.password value, which allows sensitive user information such as passwords to be stored in log files.