*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
Multi dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sequelize/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
WS-2022-0280
### Vulnerable Library - moment-timezone-0.5.34.tgzParse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment-timezone/package.json
Dependency Hierarchy: - sequelize-6.9.0.tgz (Root Library) - :x: **moment-timezone-0.5.34.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsCommand Injection in moment-timezone before 0.5.35.
Publish Date: 2022-08-30
URL: WS-2022-0280
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-56x4-j7p9-fcf9
Release Date: 2022-08-30
Fix Resolution: moment-timezone - 0.5.35
CVE-2023-25813
### Vulnerable Library - sequelize-6.9.0.tgzMulti dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sequelize/package.json
Dependency Hierarchy: - :x: **sequelize-6.9.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsSequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
Publish Date: 2023-02-22
URL: CVE-2023-25813
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25813
Release Date: 2023-02-22
Fix Resolution: 6.19.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2023-22578
### Vulnerable Library - sequelize-6.9.0.tgzMulti dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sequelize/package.json
Dependency Hierarchy: - :x: **sequelize-6.9.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsDue to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
Publish Date: 2023-02-16
URL: CVE-2023-22578
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-f598-mfpv-gmfx
Release Date: 2023-02-16
Fix Resolution: 6.29.0
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2022-0284
### Vulnerable Library - moment-timezone-0.5.34.tgzParse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment-timezone/package.json
Dependency Hierarchy: - sequelize-6.9.0.tgz (Root Library) - :x: **moment-timezone-0.5.34.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsCleartext Transmission of Sensitive Information in moment-timezone
Publish Date: 2022-08-30
URL: WS-2022-0284
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-v78c-4p63-2j6c
Release Date: 2022-08-30
Fix Resolution: moment-timezone - 0.5.35
CVE-2023-22579
### Vulnerable Library - sequelize-6.9.0.tgzMulti dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sequelize/package.json
Dependency Hierarchy: - :x: **sequelize-6.9.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsDue to improper parameter filtering in the sequalize js library, can a attacker peform injection.
Publish Date: 2023-02-16
URL: CVE-2023-22579
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vqfx-gj96-3w95
Release Date: 2023-02-16
Fix Resolution: 6.28.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2023-22580
### Vulnerable Library - sequelize-6.9.0.tgzMulti dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-6.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sequelize/package.json
Dependency Hierarchy: - :x: **sequelize-6.9.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsDue to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
Publish Date: 2023-02-16
URL: CVE-2023-22580
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-8c25-f3mj-v6h8
Release Date: 2023-02-16
Fix Resolution: 6.28.1
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.