New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency sequelize to v4.44.3 [SECURITY] #142

Open

renovate wants to merge 1 commit into dev from renovate/npm-sequelize-vulnerability

renovate bot commented May 28, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sequelize (source)	`4.43.0` -> `4.44.3`

GitHub Vulnerability Alerts

CVE-2019-10752

Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:

return User.findAll({
  where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Recommendation

If you are using sequelize 5.x, upgrade to version 5.15.1 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.

CVE-2019-10748

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.

Recommendation

If you are using sequelize 5.x, upgrade to version 5.8.11 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.
If you are using sequelize 3.x, upgrade to version 3.35.1 or later.

Release Notes

sequelize/sequelize (sequelize)

`v4.44.3`

Security

This release fixes two security issues for MySQL, both affecting same component.

https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221

mysql: json path security issues (#11332) (efd2f40)

`v4.44.2`

Bug Fixes

use files and remove .npmignore (6674a3c)

`v4.44.1`

Bug Fixes

pool: destroy pooled errors properly with replication (#11140) (a1ccf04)

`v4.44.0`

Bug Fixes

redshift: allow standard_conforming_strings option (#10816) (a32263f)

Features

postgres: enable standard conforming strings when required (#10746) (c9d3a97)

`v4.43.2`

Bug Fixes

mssql: subquery handling for order (#10769) (73d7a65)

`v4.43.1`

Bug Fixes

mysql: boolean TINYINT support (#10660) (2f92e21)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency sequelize to v4.44.3 [SECURITY]

f96fd47

renovate bot force-pushed the renovate/npm-sequelize-vulnerability branch from ecacb06 to f96fd47 Compare

April 23, 2024 22:47

renovate bot changed the title ~~Update dependency sequelize to v6 [SECURITY]~~ Update dependency sequelize to v4.44.3 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment