CVE-2023-22580 : Due to improper input filtering in the sequalize js library, can malicious queri

Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.

Published 2023-02-16 15:15:19

Updated 2023-04-28 18:52:22

Source Dutch Institute for Vulnerability Disclosure

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2023-22580

Sequelizejs » Sequelize » For Node.js
Versions before (<) 6.28.1
cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha1 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha1:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha10 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha10:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha11 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha11:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha12 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha12:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha13 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha13:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha14 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha14:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha15 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha15:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha16 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha16:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha17 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha17:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha18 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha18:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha19 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha19:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha2 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha2:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha2.1 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha2.1:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha2.2 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha2.2:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha3 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha3:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha4 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha4:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha5 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha5:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha6 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha6:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha7 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha7:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha8 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha8:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Alpha9 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:alpha9:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Oc Test 1 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:oc_test_1:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Oc Test 2 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:oc_test_2:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Oc Test 3 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:oc_test_3:*:*:*:node.js:*:*
Matching versions
Sequelizejs » Sequelize » Version: 7.0.0 Update Oc Test 4 For Node.js
cpe:2.3:a:sequelizejs:sequelize:7.0.0:oc_test_4:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-22580

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-22580

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	Dutch Institute for Vulnerability Disclosure
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-22580

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigned by:
- csirt@divd.nl (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-22580

https://csirt.divd.nl/CVE-2023-22580

Sequalize - Bad query filtering leading to SQL errors | DIVD CSIRT
Third Party Advisory
https://csirt.divd.nl/DIVD-2022-00020/

DIVD-2022-00020 - Inproper input validation vulnerabilities identified within Feathers.js | DIVD CSIRT
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-22580

Products affected by CVE-2023-22580

Exploit prediction scoring system (EPSS) score for CVE-2023-22580

CVSS scores for CVE-2023-22580

CWE ids for CVE-2023-22580

References for CVE-2023-22580