SQL Injection in order/limit
Affecting sequelize package, versions >=0.2.2 <3.13.17
Do your applications use this vulnerable package?
Test your applications
Overview
sequelize versions prior to 3.17.0 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order or limit parameters.
Example
models.User.findAll({
limit: '1; DELETE FROM "Users" WHERE 1=1; --',
}).then(function (users) {
console.log(users);
});Remediation
Upgrade to version 3.17.0 or greater.
References
- https://github.com/sequelize/sequelize/pull/5167
- https://github.com/sequelize/sequelize/blob/master/changelog.md#3170
- https://github.com/sequelize/sequelize/commit/d198d78182cbf1ea3ef1706740b35813a6aa0838
Snyk patch available for versions:
- <=3.16.0 >=3.2.0
View patch
View patch
CVSS Score
7.3
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Spencer Creasey
- CWE
- CWE-89
- Snyk ID
- npm:sequelize:20160106
- Disclosed
- 06 Jan, 2015
- Published
- 01 Apr, 2016