CVE-2024-21509

CVSS V2 None CVSS V3 None

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Overview

CVE ID
CVE-2024-21509

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T05:00:00.795Z

Last Modified Date
2024-04-10T05:00:00.795Z

Weakness Enumerations

CWE	URL
CWE-1321	http://cwe.mitre.org/data/definitions/1321.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
https://github.com/sidorares/node-mysql2/pull/2574
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21509
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21509

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 15:32:35				Added to TrackCVE