CVE-2023-22579 and CVE-2023-22580 #15698
Replies: 4 comments 2 replies
-
Hi :) I don't have an answer for this yet, I'm checking with the other maintainers For reference, this is the PR that could be backported #15375 To give some context about the issue, the Something like this: User.findAll({
where: new Date(),
}); I personally think very few people are going to be impacted by this, but it was still a bad idea and something we fixed in v7. I'll keep this thread updated as I have more information |
Beta Was this translation helpful? Give feedback.
-
Hello Zoé, I just upgraded to version 6.28.1 and I am still seeing the alerts above and CVE-2023-22578 https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324088. Is there something I am missing? |
Beta Was this translation helpful? Give feedback.
-
For CVE-2023-22579, while we published an update on GHSA-vqfx-gj96-3w95, we do not know how platforms like snyk update their vulnerability databases or how we can let them know that a fix has been released For CVE-2023-22580, we're working on backporting the relevant fix to v6 See #15694 for CVE-2023-22578, as that one is more complicated and still being discussed internally |
Beta Was this translation helpful? Give feedback.
-
Any update on this? |
Beta Was this translation helpful? Give feedback.
-
Hi
Snyk has alerted us to the following:
https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324089
https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
I see these are fixed in the alpha for 7, is there any plans to backport for 6?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions