CVE-2016-10556

Description

Affected versions of `sequelize` cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability. ## Proof of Concept In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. Example Query: ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` If the user inputs the value of `:names` as: ``` ["test", "'); DELETE TestTable WHERE Id = 1 --')"] ``` The resulting SQL statement will be: ```sql SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --') ``` As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1. ## Recommendation Update to version 3.20.0 or later.

How to fix CVE-2016-10556

To remediate CVE-2016-10556, upgrade the affected package to a fixed version below.

• —upgrade to 3.20.0 or later

Is CVE-2016-10556 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.20.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10556
• WEBgithub.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71
• WEBgithub.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34&branch=v3.20.0&qualified_name=refs%2Ftags%2Fv3.20.0
• WEBgithub.com