VDB
CVE-2024-21509
CVE-2024-21509
PUBLISHED
CVSS 6.5 MEDIUM
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
EPSS 0.77% · 73.7th percentile
Risk Scores
CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P
EPSS Score
0.77%
73.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | mysql2 | 0 |
| npm | mysql2 | 0 |
| mysqljs | mysql2 | 0 |
| sidorares | mysql2 | 0 |
Timeline
- Apr 10, 2024 CVE Published
- Apr 10, 2024 EPSS Score
- Apr 12, 2024 CVE Updated
- May 5, 2024 EPSS Score
- May 30, 2024 EPSS Score
- Jul 19, 2024 EPSS Score
- Aug 14, 2024 EPSS Score
- Sep 8, 2024 EPSS Score
- Oct 3, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Nov 22, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
References
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084 url
- https://blog.slonser.info/posts/mysql2-attacker-configuration/ url
- https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134 url
- https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691 url
- https://github.com/sidorares/node-mysql2/pull/2574 url
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21509 advisory
- https://blog.slonser.info/posts/mysql2-attacker-configuration url
- https://github.com/sidorares/node-mysql2 package