Lucene search

[email protected]NVD:CVE-2024-21509

HistoryApr 10, 2024 - 5:15 a.m.

CVE-2024-21509

2024-04-1005:15:48

CWE-1321

[email protected]

web.nvd.nist.gov

cve-2024-21509

prototype poisoning

insecure results object creation

improper user input sanitization

text_parser.js

binary_parser.js

mysql2 package

vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

10.4%

JSON

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

References

blog.slonser.info/posts/mysql2-attacker-configuration/

github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134

github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691

github.com/sidorares/node-mysql2/pull/2574

github.com/sidorares/node-mysql2/releases/tag/v3.9.4

security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

10.4%

JSON

Related for NVD:CVE-2024-21509

cvelist1 cgr1 osv2 cve1 veracode1 redhatcve1 github1 wolfi1