VDB
CVE-2024-21507
CVE-2024-21507
PUBLISHED
CVSS 6.5 MEDIUM
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
EPSS 0.42% · 62.3th percentile
Risk Scores
CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P
EPSS Score
0.42%
62.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| mysqljs | mysql2 | 0 |
| npm | mysql2 | 0 |
| n/a | mysql2 | 0 |
| sidorares | mysql2 | 0 |
Timeline
- Apr 10, 2024 CVE Published
- Apr 10, 2024 EPSS Score
- Apr 12, 2024 CVE Updated
- May 5, 2024 EPSS Score
- May 30, 2024 EPSS Score
- Jun 24, 2024 EPSS Score
- Aug 14, 2024 EPSS Score
- Sep 8, 2024 EPSS Score
- Oct 3, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 28, 2024 EPSS Score
- Nov 22, 2024 EPSS Score
References
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300 url
- https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818 url
- https://blog.slonser.info/posts/mysql2-attacker-configuration/ url
- https://github.com/sidorares/node-mysql2/pull/2424 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21507 advisory
- https://blog.slonser.info/posts/mysql2-attacker-configuration url
- https://github.com/sidorares/node-mysql2 package