CVE-2023-22579 and CVE-2023-22580

[DevRCRun]

Hi

Snyk has alerted us to the following:

https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324089
https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

I see these are fixed in the alpha for 7, is there any plans to backport for 6?

Thanks!

[ephys]

Hi :)

I don't have an answer for this yet, I'm checking with the other maintainers

For reference, this is the PR that could be backported #15375

To give some context about the issue, the where option will produce 1=1 if it's given something else than a plain javascript object, a literal(), or a where().

Something like this:

User.findAll({
  where: new Date(),
});

I personally think very few people are going to be impacted by this, but it was still a bad idea and something we fixed in v7.

I'll keep this thread updated as I have more information

[heidemn-faro]

Hi Zoé,
It seems the 1=1 behavior is unexpected and dangerous (I assume it's e.g. also used for DELETE and UPDATE queries?).
So I would vote for backporting the fix to 6.x.

I can't imagine any application that would rely on this behavior.
On the other hand, many corporate teams probably use security scanners that complain about the vulnerability.

[ephys]

We've now merged the backport, it has been released in 6.28.1

[aucarms]

Hello Zoé,

I just upgraded to version 6.28.1 and I am still seeing the alerts above and CVE-2023-22578 https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324088. Is there something I am missing?

[ephys]

For CVE-2023-22579, while we published an update on GHSA-vqfx-gj96-3w95, we do not know how platforms like snyk update their vulnerability databases or how we can let them know that a fix has been released

For CVE-2023-22580, we're working on backporting the relevant fix to v6

See #15694 for CVE-2023-22578, as that one is more complicated and still being discussed internally

[HMhamedminaee]

Any update on this?