Vulnerability Description
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sequelizejs | Sequelize | >= 3.0.0, < 3.35.1 |
Related Weaknesses (CWE)
References
- https://github.com/sequelize/sequelize/commit/a72a3f5%2C
- https://github.com/sequelize/sequelize/pull/11089%2C
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221ExploitThird Party Advisory
- https://github.com/sequelize/sequelize/commit/a72a3f5%2C
- https://github.com/sequelize/sequelize/pull/11089%2C
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221ExploitThird Party Advisory
FAQ
What is CVE-2019-10748?
CVE-2019-10748 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
How severe is CVE-2019-10748?
CVE-2019-10748 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-10748?
Check the references section above for vendor advisories and patch information. Affected products include: Sequelizejs Sequelize.