GoogleOSV:GHSA-49J4-86M8-Q2JWmysql2 vulnerable to Prototype Poisoning
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
References
blog.slonser.info/posts/mysql2-attacker-configuration
github.com/sidorares/node-mysql2
github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
github.com/sidorares/node-mysql2/pull/2574
github.com/sidorares/node-mysql2/releases/tag/v3.9.4
nvd.nist.gov/vuln/detail/CVE-2024-21509
security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%