QwikSec

Security Database

CVE

CWE

Training

CVE-2022-33171

Published: Jul 4, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0

x_refsource_MISC

https://seclists.org/fulldisclosure/2022/Jun/51

x_refsource_MISC

20220815 Re: typeorm CVE-2022-33171

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.