PT-2019-12024 · Sequelize · Sequelize

Published

2019-10-29

Updated

2019-11-08

CVE-2019-10749

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions sequelize versions prior to 3.35.1

Description The issue allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. This may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendations For versions prior to 3.35.1, upgrade to version 3.35.1 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-10749

GHSA-2598-2F59-RMHQ

SNYK-JS-SEQUELIZE-450222

Affected Products

Sequelize

PT-2019-12024 · Sequelize · Sequelize

CVE-2019-10749

Weakness Enumeration

Related Identifiers

Affected Products

References · 6