漏洞标题
N/A
漏洞描述信息
sequelize 是一个对象关系映射器,或中间人,将数据从 PostgreSQL、MySQL、MariaDB、SQLite 和 Microsoft SQL Server 转换为可用数据,并将其提供给 NodeJS。在 PostgreSQL、SQLite 和 Microsoft SQL Server 中,有一个问题,即数组被视为字符串,并未正确 escaping。这导致在 sequelize 3.19.3 和更早版本中的潜在 SQL 注入。恶意用户可以将 `["test", "'); DELETE TestTable WHERE Id = 1 --')` 放在 ```database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput }}); ``` 中,并导致 SQL 语句变成 `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. 在 PostgreSQL、MSSQL 和 SQLite 中,backslash 没有特殊意义。这导致该语句删除 TestTable 表中的 1 号 Id 的所有值。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.
CVSS信息
N/A
漏洞类别
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
漏洞标题
sequelize SQL注入漏洞
漏洞描述信息
sequelize是一个用于Node.js的数据库ORM(对象关系映射)工具。 sequelize 3.19.3及之前版本中存在SQL注入漏洞,该漏洞源于程序将数组用作字符串而却没有正确的对其进行编码。攻击者可利用该漏洞删除TestTable表单中带有1的ID。
CVSS信息
N/A
漏洞类别
SQL注入