// For flags

CVE-2016-10556

 

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.

sequelize es un mapeo objeto-relacional, o un "middleman", para convertir elementos de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. En Postgres, SQLite y Microsoft SQL Server, hay un problema por el cual los arrays se tratan como cadenas y se escapan incorrectamente. Esto provoca una potencial inyección SQL en sequelize en versiones 3.19.3 y anteriores, donde un usuario malicioso podría colocar `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` en ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` y provocar que la instrucción SQL se convierta en `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. En Postgres, MSSQL y SQLite, la barra diagonal invertida no tiene un significado especial. Esto provoca que la instrucción elimine todos los ID que tengan un valor de 1 en la tabla TestTable.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-10-29 CVE Reserved
  • 2018-05-29 CVE Published
  • 2024-03-05 EPSS Updated
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (2)
URL Tag Source
https://nodesecurity.io/advisories/102 Third Party Advisory
URL Date SRC
https://github.com/sequelize/sequelize/issues/5671 2024-09-17
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sequelizejs
Search vendor "Sequelizejs"
 Sequelize
Search vendor "Sequelizejs" for product "Sequelize"
 <= 3.19.3
Search vendor "Sequelizejs" for product "Sequelize" and version " <= 3.19.3"
node.js
Affected