Miggo Logo

CVE-2016-10553: Potential SQL Injection in sequelize

N/A

CVSS Score

Basic Information

EPSS Score
0.51077%
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
sequelizenpm<= 2.1.33.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided patches (29b6a54 and 2798738) do not address the SQL injection vulnerability (CVE-2016-10553) described in the advisory. The first commit fixes a delimiter collision in PostgreSQL function generation, and the second addresses a regression in timestamp handling. Neither patch modifies the findOne method or where clause processing, which are the vectors explicitly called out in the vulnerability description. The actual fix for CVE-2016-10553 likely resides in Sequelize 3.0.0's changes to input sanitization in query construction, but these changes are not present in the analyzed patches. Without direct evidence of vulnerable code paths in the provided diffs, no functions can be confidently identified for runtime detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `s*qu*liz*` *r* vuln*r**l* to SQL Inj**tion w**n us*r input is p*ss** into `*in*On*` or into * st*t*m*nt su** *s `w**r*: "us*r input"`. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r. V*rsion *.*.* will intro*u** * num**

Reasoning

T** provi*** p*t***s (******* *n* *******) *o not ***r*ss t** SQL inj**tion vuln*r**ility (*V*-****-*****) **s*ri*** in t** **visory. T** *irst *ommit *ix*s * **limit*r *ollision in Post*r*SQL *un*tion **n*r*tion, *n* t** s**on* ***r*ss*s * r**r*ssio