WS-2016-0021 (High) detected in sequelize-3.17.3.tgz

[mend-bolt-for-github]

WS-2016-0021 - High Severity Vulnerability

Vulnerable Library - sequelize-3.17.3.tgz

Multi dialect ORM for Node.JS/io.js

Library home page: https://registry.npmjs.org/sequelize/-/sequelize-3.17.3.tgz

Path to dependency file: /InfotelAPI2016/package.json

Path to vulnerable library: /InfotelAPI2016/node_modules/sequelize/package.json

Dependency Hierarchy:

• ❌ sequelize-3.17.3.tgz (Vulnerable Library)

Found in HEAD commit: 6d3ae9745a93368ee736c4dc1be87c814e996b3f

Vulnerability Details

There is an IN statement SQL Injection vulnerability in sequelize versions prior to 3.20.0 that improperly escape arrays of strings bound to named parameters.

Publish Date: 2016-04-01

URL: WS-2016-0021

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: sequelize/sequelize#5671

Release Date: 2017-01-31

Fix Resolution: 3.20.0

---

Step up your Open Source Security Game with WhiteSource here