SQL Injection

Affecting sequelize package, versions <2.1.4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Beginning with sequelize version 3.0.0, two security related changes were introduced:

  • findOne no longer takes a string / integer / binary argument to represent a primaryKey. Use findById instead.
  • where: "raw query" is no longer legal, you must now explicitly use where: ["raw query", [replacements]]

Remediation

Upgrade to version 3.0.0 or greater.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Unknown
CVE
CVE-2016-10553
CWE
CWE-89
Snyk ID
npm:sequelize:20150517
Disclosed
17 May, 2015
Published
01 Apr, 2016