CVE-2023-25813

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b	Patch
https://github.com/sequelize/sequelize/issues/14519	Exploit Issue Tracking
https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw	Exploit Vendor Advisory
https://github.com/sequelize/sequelize/releases/tag/v6.19.1	Release Notes

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*

Information

Published : 2023-02-22 11:15

Updated : 2023-03-02 18:04

NVD link : CVE-2023-25813

Mitre link : CVE-2023-25813

JSON object : View

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advertisement

Products Affected

sequelizejs

sequelize

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", "name": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", "tags": ["Patch"], "refsource": "MISC"}, {"url": "https://github.com/sequelize/sequelize/issues/14519", "name": "https://github.com/sequelize/sequelize/issues/14519", "tags": ["Exploit", "Issue Tracking"], "refsource": "MISC"}, {"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", "name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", "tags": ["Exploit", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", "name": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", "tags": ["Release Notes"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-89"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-25813", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2023-02-22T19:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.19.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-03T02:04Z"}