Search criteria
3 vulnerabilities by Feather js
CVE-2022-2422 (GCVE-0-2022-2422)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:41
VLAI?
Title
Feathers - SQL injection via attribute aliases
Summary
Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
Severity ?
10 (Critical)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-2422"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
}
],
"value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:41:09.960Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-2422"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - SQL injection via attribute aliases",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-2422",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2025-03-11T13:41:09.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29823 (GCVE-0-2022-29823)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
VLAI?
Title
Feathers - Query “__proto__” is converted to real prototype
Summary
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
Severity ?
10 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ("Prototype Pollution")
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.743Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-29823/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
}
],
"value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\"Prototype Pollution\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:39:49.662Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-29823/"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - Query \u201c__proto__\u201d is converted to real prototype",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-29823",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2025-03-11T13:39:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29822 (GCVE-0-2022-29822)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
VLAI?
Title
Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
Summary
Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
Severity ?
10 (Critical)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-29822/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
}
],
"value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:39:56.587Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-29822/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-29822",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2025-03-11T13:39:56.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}