Fatal SQLi error detected in Sequelize tool

 Critical vulnerabilities in the Sequelize engine could allow remote attackers to execute arbitrary SQL queries on the database.



1677137879959.png


With over 18,600 monthly downloads, Sequelize is a database-to-object mapping tool in the object-oriented database components (ORM) programming language for Node.js that is compatible with Node.js. many different types of databases like Postgres, MySQL, MariaDB, SQLite, DB2, Microsoft SQL Server, Snowflake, Oracle DB and Db2 for IBM. This tool has various features such as support for sequential execution, establishing relationships between tables, Eager Loading and Lazy Loading, maintaining data copies and many more.

Researchers discovered CVE-2023-22578 and CVE-2023-25813, two critical bugs in Sequelize that are rated for a CVSS score of 10 and should put all Sequelize users on alert due to the potential spread. their treasure.

The root cause of the CVE-2023-22578 vulnerability lies in the mismatched attribute filtering function in the js serialize library, an attacker could execute a malicious SQL query injection into the library itself. This. This vulnerability can be mitigated by not accepting untrusted inputs.

The Sequelize developers have addressed this CVE with the release of version 7.0.0-alpha.20 on December 22, 2022, but technical details of the bug have not been provided so far.

The root cause of the CVE-2023-25813 vulnerability lies in the Replacements command structure. It allows an attacker to pass dangerous values ​​like “OR true;” or “DROP TABLE” through the Replacements command constructs and thereby resulting in arbitrary SQL execution. This bug affects Sequelize versions prior to 6.19.1 and has been fixed with the release of Sequelize version 6.19.2 on May 18, 2022. To reduce your risk, if you are not using a Sequelize version from 6.19 .2 or lower, the Replacements and Where options should not be used in the same query.

Another critical vulnerability tracked is CVE-2023-22579 (CVSS score of 9.9), which gives an attacker the ability to access resources using incompatible object types due to the improperly checking user input, stemming from a failsafe in GET WHERE conditions. It has been resolved in versions 7.0.0-alpha.20 and 6.28.1 released on Wednesday.

Due to the serious nature of the vulnerabilities, users are advised to update to the latest version as soon as possible to mitigate possible threats.

Post a Comment

0 Comments