Is Mend vulnerable to the Sequelize SQL Injection vulnerability, CVE-2023-25813?
On February 22, 2023, a new vulnerability was disclosed for the NPM package, Sequelize. CVE-2023-25813 is categorized as CRITICAL, with a CVSS score of 10.0.
Mend is up to date with the CVE details and we encourage our customers to scan any new projects with Mend to identify whether their code is impacted by this vulnerability.
What is CVE-2023-25813?
From the Sequelize Advisory, CVE-2023-25813 is described as:
The SQL injection exploit is related to replacements. Here is an example:
In the following query, some parameters are passed through replacements, and some are passed directly through the where
option.
User.findAll({
where: or(
literal('soundex("firstName") = soundex(:firstName)'),
{ lastName: lastName },
),
replacements: { firstName },
})
This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where
option, then passed it over to sequelize.query
which parsed the resulting SQL to inject all:replacements
.
If the user passed values such as
{
"firstName": "OR true; DROP TABLE users;",
"lastName": ":firstName"
}
Sequelize would first generate this query:
SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'
Then would inject replacements in it, which resulted in this:
SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''
As you can see this resulted in arbitrary user-provided SQL being executed.
What components are impacted by CVE-2023-25813?
All Sequelize versions older than v6.19.1 are vulnerable to CVE-2023-25813, exclusively.
What is Mend’s recommended action to fix the CVE-2023-25813 for my own products?
Run an organization-wide inventory report. If you require a multiple organization report or have over 1000 products, we recommend using the Mend Bulk Report Generator tool to streamline report generation
If you have a global organization and are a global admin, you can run asynchronous reports across all of your organizations via the Global Admin console > Account Report Export setting.
Search the inventory report for libraries with instances of the referenced vulnerability to identify impacted applications
Contact relevant teams and alert them to the urgency and fix
Users of affected versions should apply the necessary mitigations or remediations:
Mitigation Recommendations: Advisory: Sequelize GitHub Repository
Remediation Recommendations: Mend Database: CVE-2023-25813
Are Mend offerings vulnerable to CVE-2023-25813?
Mend products are not vulnerable to CVE-2023-25813.
Frequently Asked Questions
Q: Do I need to rescan my projects to detect this vulnerability?
A: No, Mend keeps a current list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability once the index is updated.
Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?
A: If you have policies set up in your organization, Mend will automatically notify you in case you are affected by this vulnerability. To set up a policy within your organization, please review our Policies documentation. If you do not wish to set this up, you can utilize the Security Alerts reports for the CVEs.
Q: How can I tell if this vulnerability is one of my transitive dependencies?
A: Our Inventory report, Security Alerts reports, and the Library Details page all provide documentation for analyzing your inventory’s dependency trees to help you determine your next steps in mitigating this vulnerability. To retrieve the reports mentioned, navigate to the corresponding page in your Mend UI, or use our asynchronous Reports APIs or synchronous APIs.
Related Documentation
Mend Database: CVE-2023-25813
Seqeulize GitHub Repository:
NVD Website: CVE-2023-25813
CVE Website: CVE-2023-25813