DIVD-2022-00020: Unauthenticated SQL Injection in Feathers.js & Sequelize.js (CVE-2022-2422)

Key Information Vulnerability Description Title: DIVD-2022-00020 - Improper Input Validation Vulnerability Identified in Feathers.js Vulnerability Category: Improper Input Validation Affected Products: Feathers.js & Sequelize.js Affected Versions: 6.x < 6.3.4 CVE IDs: - CVE-2022-2422 - CVE-2022-29822 - CVE-2022-29823 - CVE-2023-22578 - CVE-2023-22579 - CVE-2023-22580 Vulnerability Impact Exploiting these vulnerabilities allows attackers to access the application over the network without authentication, and execute SQL injection attacks using Feathers.js and Sequelize.js. Recommended Actions It is recommended to use the latest version of Feathers.js. If a vulnerability notification is received, follow the instructions in the notification to remediate the system. Vulnerability Status Current Status: Closed Patch Status: Available Incident Timeline March 23, 2022: Vulnerability discovered by Thomas Rinsma and Kevin Valk from Codean April 4, 2022: DIVD testing confirmed the vulnerability still existed June 10, 2022: Vendor released a new version and requested retesting July 13, 2022: Confirmed vulnerability was fixed October 25, 2022: Limited disclosure May 27, 2023: Case closed due to inability to fingerprint the vulnerability Ongoing Activities DIVD is ensuring that system owners have received notifications regarding the vulnerability and is confirming the vulnerability through scanning vulnerable hosts. If an email regarding this case has been received, the vulnerability has been confirmed.

Goal Reached Thanks to every supporter — we hit 100%!

DIVD-2022-00020: Unauthenticated SQL Injection in Feathers.js & Sequelize.js (CVE-2022-2422)