← voltar
CVE-2022-33171

CVE-2022-33171

EPSS 20.3%
The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation
Produtos afetados
n/a · n/a

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2022/Aug/7https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0https://seclists.org/fulldisclosure/2022/Jun/51