CVE-2019-10752
SQL Injection vulnerability in sequelize (npm)
What is CVE-2019-10752 About?
This vulnerability is a SQL Injection flaw in `sequelize` due to incorrect formatting of sub-paths for JSON queries. Attackers can inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation is relatively straightforward if user input is not properly sanitized.
Affected Software
- sequelize
- >5.0.0, <5.15.1
- <4.44.3
Technical Details
Affected versions of the sequelize package contain a SQL Injection vulnerability. The sequelize.json() function, used for querying JSON data, incorrectly formats sub-paths. Specifically, if user-controlled input is directly embedded into the sub-path parameter, an attacker can terminate the intended JSON path and inject arbitrary SQL commands. For example, this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) demonstrates how an attacker can close the JSON path expression and append malicious SQL, which the database then processes as part of the legitimate query, leading to data manipulation or exfiltration.
What is the Impact of CVE-2019-10752?
Successful exploitation may allow attackers to execute arbitrary SQL queries, leading to unauthorized data access, modification, or deletion, and potentially compromise the entire database.
What is the Exploitability of CVE-2019-10752?
Exploitation of this SQL Injection vulnerability is dependent on user-controlled input being passed directly and unsanitized to the sequelize.json() function. The complexity of crafting the malicious payload is moderate, requiring knowledge of SQL syntax and the database structure. No specific authentication or privilege requirements exist beyond having the ability to submit input processed by the vulnerable function. Access can be remote. The primary risk factor is applications that fail to properly sanitize or validate user input before using it in database queries, directly exposing them to this injection flaw.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10752?
Available Upgrade Options
- sequelize
- <4.44.3 → Upgrade to 4.44.3
- sequelize
- >5.0.0, <5.15.1 → Upgrade to 5.15.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751,
- https://nvd.nist.gov/vuln/detail/CVE-2019-10752
- https://github.com/sequelize/sequelize/commit/9bd0bc1%2C
- https://github.com/sequelize/sequelize/pull/11329
- https://github.com/sequelize/sequelize/commit/9bd0bc1,
- https://osv.dev/vulnerability/GHSA-m9jw-237r-gvfv
What are Similar Vulnerabilities to CVE-2019-10752?
Similar Vulnerabilities: CVE-2019-11358 , CVE-2020-13766 , CVE-2021-39145 , CVE-2021-23382 , CVE-2022-24792
