CVE-2016-10556 (High) detected in sequelize-3.17.3.tgz
Opened this issue · 0 comments
CVE-2016-10556 - High Severity Vulnerability
Vulnerable Library - sequelize-3.17.3.tgz
Multi dialect ORM for Node.JS/io.js
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.17.3.tgz
Path to dependency file: /InfotelAPI2016/package.json
Path to vulnerable library: /InfotelAPI2016/node_modules/sequelize/package.json
Dependency Hierarchy:
- ❌ sequelize-3.17.3.tgz (Vulnerable Library)
Found in HEAD commit: 6d3ae9745a93368ee736c4dc1be87c814e996b3f
Vulnerability Details
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put ["test", "'); DELETE TestTable WHERE Id = 1 --')"] inside of database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); and cause the SQL statement to become SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --'). In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.
Publish Date: 2018-05-29
URL: CVE-2016-10556
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10556
Release Date: 2018-12-15
Fix Resolution: v3.20.0
Step up your Open Source Security Game with WhiteSource here