Vulnerability

CVE-2019-10757

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89

References

https://github.com/knex/knex/pull/3382
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10757

[CVE-2019-10757] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See knex package information