CVE-2022-2422 - Feathers - SQL injection via attribute aliases

CVE	CVE-2022-2422
Case	DIVD-2022-00020
Discovered by	Thomas Rinsma and Kevin Valk (Codean)
Credits	Discovered by Thomas Rinsma and Kevin Valk (Codean)
Products	Feather js: Feathers-Sequalize
Versions	Feather js: Feathers-Sequalize 6.x (< 6.3.4)
Page author	Victor Pasman
CVSS	Base score: 10
References	https://csirt.divd.nl/cves/CVE-2022-2422 https://csirt.divd.nl/cases/DIVD-2022-00020
Last modified	25 Oct 2022 19:12

Description

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

JSON version

DIVD CSIRT

CVE-2022-2422 - Feathers - SQL injection via attribute aliases

Description