SQL Injection due to unescaped object keys

Module: mysql

Published: December 28th, 2015

Reported by: Sébastian Dejonghe

CVE-NONE

CWE-89

Vulnerable: <=v2.0.0-alpha7
Patched: >=v2.0.0-alpha8

Overview

Versions of mysql prior to 2.0.0-alpha8 are affected by a SQL Injection vulnerability in the mysql.escape() function, which does not properly escape object keys.

Remediation

Update to version 2.0.0-alpha8 or later.

References

Issue #324