Sequelize Weak TLS Version
Description
The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should not be used. By default, Sequelize uses TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.
Examples
Insecure Code
javascript
const sequelize = new Sequelize('database', 'username', 'password', { host: 'localhost', dialect: 'mysql', dialectOptions: { ssl: { minVersion: 'TLSv1' } } });Secure Code
javascript
const sequelize = new Sequelize('database', 'username', 'password', { host: 'localhost', dialect: 'mysql', dialectOptions: { ssl: { minVersion: 'TLSv1.3' } } });Remediation
Update the Sequelize connection string to use a secure TLS version, such as TLSv1.3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0364 |
| Category | Crypto |
| Severity | CRITICAL |
| CWE | CWE-757 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | TLS, SSL |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |