CVE-2024-21512
published 2024-05-29CVE-2024-21512: Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when…
PriorityP347high8.2CVSS 3.1
AVNACLPRNUINSUCNIHAL
EPSS
3.11%
86.2th percentile
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sidorares | mysql2 | >= 0 < 3.9.8 | 3.9.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via improper user input sanitization passed to `fields` and `tables` parameters when using the `nestTables` option in mysql2 ↗
- →Affected package is `mysql2` Node.js library; versions before 3.9.8 are vulnerable to Prototype Pollution — detect use of vulnerable versions in dependency manifests (package.json, package-lock.json) ↗
- ·Red Hat Developer Hub packages (rhdh-operator-container and rhdh/rhdh-hub-rhel9) are explicitly marked as NOT affected by this CVE ↗
- ·No mitigation is currently available that meets Red Hat Product Security criteria; patching to mysql2 >= 3.9.8 is the primary remediation path ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mysql2: vulnerable to Prototype Pollution due to improper user input sanitization
vendor_redhat·2024-05-29·CVSS 8.2
CVE-2024-21512 [HIGH] CWE-1321 mysql2: vulnerable to Prototype Pollution due to improper user input sanitization
mysql2: vulnerable to Prototype Pollution due to improper user input sanitization
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
A flaw was found in MySQL2. This issue is due to prototype pollution caused by improper user input sanitization passed to fields and tables when using nestTables.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhdh-operator-container (Red Hat Developer Hub) - Not affected
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) - Not a
GHSA
mysql2 vulnerable to Prototype Pollution
ghsa·2024-05-30
CVE-2024-21512 [HIGH] CWE-1321 mysql2 vulnerable to Prototype Pollution
mysql2 vulnerable to Prototype Pollution
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
OSV
mysql2 vulnerable to Prototype Pollution
osv·2024-05-30
CVE-2024-21512 [HIGH] mysql2 vulnerable to Prototype Pollution
mysql2 vulnerable to Prototype Pollution
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4ahttps://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bchttps://github.com/sidorares/node-mysql2/pull/2702https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4ahttps://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bchttps://github.com/sidorares/node-mysql2/pull/2702https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
2024-05-29
Published