CVE-2019-11069 — SQL Injection in sequelize

Description

Versions of `sequelize` prior to 5.3.0 (excluding v3 and v4) are vulnerable to SQL Injection. PostgreSQL option`standard_conforming_strings` is not set to `on` by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. ## Recommendation Upgrade to version 5.3.0 or later.

How to fix CVE-2019-11069

To remediate CVE-2019-11069, upgrade the affected package to a fixed version below.

—upgrade to 5.3.0 or later

Is CVE-2019-11069 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.0.0, < 5.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11069
PATCHgithub.com/sequelize/sequelize
WEBgithub.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160
WEBgithub.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9