CVE-2024-21509
published 2024-04-10CVE-2024-21509: Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization…
PriorityP431medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.96%
57.2th percentile
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sidorares | mysql2 | < 3.9.4 | 3.9.4 |
| sidorares | mysql2 | >= 0 < 3.9.4 | 3.9.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mysql2: Prototype Poisoning
vendor_redhat·2024-04-10·CVSS 6.5
CVE-2024-21509 [MEDIUM] CWE-1321 mysql2: Prototype Poisoning
mysql2: Prototype Poisoning
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
A prototype pollution vulnerability was found in mysql2. Insecure results in object creation and improper user input sanitization can lead to prototype poisoning.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhdh-operator-container (Red Hat Developer Hub) - Not affected
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) - Not affec
GHSA
mysql2 vulnerable to Prototype Poisoning
ghsa·2024-04-10
CVE-2024-21509 [MEDIUM] CWE-1321 mysql2 vulnerable to Prototype Poisoning
mysql2 vulnerable to Prototype Poisoning
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.
OSV
mysql2 vulnerable to Prototype Poisoning
osv·2024-04-10
CVE-2024-21509 [MEDIUM] mysql2 vulnerable to Prototype Poisoning
mysql2 vulnerable to Prototype Poisoning
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691https://github.com/sidorares/node-mysql2/pull/2574https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691https://github.com/sidorares/node-mysql2/pull/2574https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
2024-04-10
Published