SCA: security update for sequelize (GHSA-9c2p-jw8p-f84v)

high Tenable Self-Hosted Container Security Plugin ID 422652

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB,
SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server
there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL
injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE
TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN
(:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become
`SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres,
MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever
Id has a value of 1 in the TestTable table. (CVE-2016-10556)

See Also

https://github.com/advisories/GHSA-9c2p-jw8p-f84v

Plugin Details

Severity: High

ID: 422652

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2016-10556

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/18/2019

Vulnerability Publication Date: 4/18/2016

Reference Information

CVE: CVE-2016-10556

cwe: CWE-89