CVE-2024-21507
published 2024-04-10CVE-2024-21507: Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.74%
50.1th percentile
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sidorares | mysql2 | < 3.9.3 | 3.9.3 |
| sidorares | mysql2 | >= 0 < 3.9.3 | 3.9.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
mysql2 cache poisoning vulnerability
ghsa·2024-04-10
CVE-2024-21507 [MEDIUM] CWE-20 mysql2 cache poisoning vulnerability
mysql2 cache poisoning vulnerability
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon `:` character within a value of the attacker-crafted key.
OSV
mysql2 cache poisoning vulnerability
osv·2024-04-10
CVE-2024-21507 [MEDIUM] mysql2 cache poisoning vulnerability
mysql2 cache poisoning vulnerability
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon `:` character within a value of the attacker-crafted key.
Red Hat
mysql2: Improper Input Validation
vendor_redhat·2024-04-10·CVSS 6.5
CVE-2024-21507 [MEDIUM] CWE-20 mysql2: Improper Input Validation
mysql2: Improper Input Validation
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to improper input validation through the keyFromFields function, resulting in cache poisoning. This flaw allows an attacker to inject a colon (:) character within a value of the attacker-crafted key.
Statement: The Red Hat Developer Hub remains unaffected by this vulnerability since it does not include the vulnerable codebase or version.
Mitigation: Mitigation for this issue is either not available or the currently availab
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818https://github.com/sidorares/node-mysql2/pull/2424https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818https://github.com/sidorares/node-mysql2/pull/2424https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300
2024-04-10
Published