CVE-2019-10752 - SQL Injection vulnerability in Sequelizejs Sequelize

Publication

2019-10-17

Last modification

2019-10-21

Summary

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

Classification

CWE-89 - SQL Injection

Risk level (CVSS AV:N/AC:L/Au:N/C:P/I:P/A:P)

High

7.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Sequelizejs Sequelize  4.25.0 , 5.2.10 , 4.16.2 , 4.28.6 , 4.33.4 , 4.35.2 , 4.32.3 , 4.7.3 , 4.15.1 , 5.7.4 , 4.33.0 , 4.22.8 , 4.35.0 , 4.39.1 , 5.12.2 , 4.15.2 , 4.21.0 , 4.35.1 , 5.7.2 , 5.2.5 , 5.8.4 , 4.28.7 , 5.10.2 , 5.7.3 , 4.31.0 , 4.8.3 , 5.8.10 , 5.9.1 , 4.2.1 , 4.37.1 , 4.27.0 , 5.10.1 , 4.29.0 , 5.7.6 , 4.13.13 , 4.7.4 , 4.29.3 , 4.33.1 , 4.44.0 , 4.22.5 , 4.35.3 , 4.13.1 , 5.2.13 , 4.13.11 , 4.13.4 , 4.43.1 , 4.28.5 , 4.22.16 , 4.33.2 , 4.32.1 , 5.14.0 , 4.17.0 , 5.2.4 , 5.2.8 , 5.6.1 , 4.25.2 , 4.42.1 , 4.13.17 , 4.23.0 , 4.20.3 , 4.22.15 , 5.2.12 , 4.37.10 , 5.9.0 , 4.37.2 , 4.41.1 , 4.31.1 , 5.9.3 , 4.4.10 , 5.2.6 , 4.8.4 , 4.13.7 , 4.37.8 , 4.14.0 , 4.43.0 , 4.22.10 , 4.38.0 , 4.11.3 , 5.8.3 , 4.28.2 , 5.8.11 , 5.2.1 , 4.7.0 , 5.9.4 , 4.1.0 , 4.13.3 , 5.8.7 , 4.16.1 , 4.2.0 , 4.7.1 , 4.9.0 , 4.33.3 , 5.8.5 , 5.1.0 , 4.43.2 , 4.28.4 , 5.2.15 , 4.18.0 , 5.8.8 , 4.23.4 , 4.13.9 , 5.3.2 , 5.15.0 , 5.5.1 , 4.13.2 , 4.31.2 , 5.0.0 , 5.8.9 , 4.37.3 , 4.20.2 , 5.8.12 , 4.23.1 , 4.28.1 , 4.25.1 , 5.8.0 , 4.36.1 , 4.30.0 , 5.3.1 , 4.22.3 , 4.12.0 , 4.34.1 , 5.3.3 , 4.7.5 , 5.13.1 , 4.32.4 , 4.13.16 , 5.12.3 , 4.3.2 , 4.36.0 , 4.8.1 , 4.29.2 , 4.32.7 , 4.4.4 , 4.37.0 , 5.10.3 , 4.11.6 , 4.10.2 , 5.2.2 , 4.13.0 , 4.20.0 , 4.11.4 , 4.11.5 , 4.37.5 , 5.2.14 , 4.28.0 , 4.22.14 , 4.24.0 , 4.39.0 , 5.2.9 , 5.2.0 , 5.10.0 , 4.4.5 , 4.8.0 , 5.6.0 , 4.23.2 , 5.13.0 , 4.32.2 , 4.22.6 , 4.22.7 , 4.22.13 , 4.10.3 , 4.40.0 , 4.22.11 , 5.2.7 , 4.13.6 , 4.35.4 , 4.11.0 , 4.10.0 , 4.13.14 , 5.8.6 , 4.3.1 , 4.16.0 , 4.5.0 , 4.30.2 , 5.1.1 , 4.19.0 , 5.8.1 , 4.13.10 , 4.11.2 , 4.22.0 , 4.42.0 , 4.23.3 , 5.2.3 , 4.4.9 , 5.7.1 , 4.11.1 , 4.26.0 , 4.11.7 , 5.8.2 , 4.0.0 , 4.13.8 , 4.38.1 , 4.22.1 , 4.32.0 , 5.12.1 , 5.3.5 , 4.22.12 , 4.30.1 , 4.17.1 , 4.4.2 , 4.13.12 , 4.32.5 , 5.3.0 , 5.7.0 , 4.4.0 , 4.7.2 , 4.28.3 , 4.4.1 , 4.20.1 , 4.34.0 , 4.10.1 , 5.2.11 , 4.4.8 , 5.7.5 , 4.35.5 , 5.9.5 , 4.15.0 , 4.28.8 , 4.13.15 , 5.4.0 , 4.32.6 , 4.8.2 , 4.4.6 , 4.4.7 , 4.37.4 , 4.41.2 , 4.17.2 , 5.11.0 , 5.12.0 , 4.22.9 , 4.29.1 , 5.3.4 , 4.22.2 , 4.3.0 , 4.6.0 , 5.5.0 , 4.41.0 , 4.37.9 , 4.13.5 , 4.37.6 , 5.9.2 , 4.37.7 , 4.22.4