DIVD-2022-00020 - Inproper input validation vulnerabilities identified within Feathers.js

Our reference DIVD-2022-00020
Case lead Ralph Horn
Author Victor Pasman
Researcher(s)
CVE(s)
Product Feathers.js & Sequalize.js
Versions 6.x < 6.3.4
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Closed
Last modified 28 May 2023 20:52 CEST

Summary

By leveraging the vulnerabilities, an unauthenticated attacker with network access to the application using Feathers.js and Sequelize.js can perform SQL-injections.

What you can do

We recommend to use the latest version of Feathers.js

What we are doing

Timeline

Date Description
23 Mar 2022 Vulnerability discovered by Thomas Rinsma and Kevin Valk from Codean.
04 Apr 2022 Testing by DIVD conforms that the vulnerabilities are still present in the product.
10 Jun 2022 Vendor releases new update and asks us to retest vulnerabilities.
13 Jul 2022 We confirm vulnerabilities have been fixed.
25 Oct 2022 Limited Disclosure
27 May 2023 Case closed, because we were unable to fingerprint for the vulnerability.
gantt title DIVD-2022-00020 - Inproper input validation vulnerabilities identified within Feathers.js dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00020 - Inproper input validation vulnerabilities identified within Feathers.js (458 days) :2022-02-23, 2023-05-27 section Events Vulnerability discovered by Thomas Rinsma and Kevin Valk from Codean. : milestone, 2022-03-23, 0d Testing by DIVD conforms that the vulnerabilities are still present in the product. : milestone, 2022-04-04, 0d Vendor releases new update and asks us to retest vulnerabilities. : milestone, 2022-06-10, 0d We confirm vulnerabilities have been fixed. : milestone, 2022-07-13, 0d Limited Disclosure : milestone, 2022-10-25, 0d Case closed, because we were unable to fingerprint for the vulnerability. : milestone, 2023-05-27, 0d

More information