Опубликовано: 10 апр. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 6.5
Описание
mysql2 vulnerable to Prototype Poisoning
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-21509
- https://github.com/sidorares/node-mysql2/pull/2574
- https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
- https://blog.slonser.info/posts/mysql2-attacker-configuration
- https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084
Пакеты
Наименование
mysql2
npm
Затронутые версииВерсия исправления
< 3.9.4
3.9.4
Связанные уязвимости
CVSS3: 6.5
redhat
почти 2 года назад
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
CVSS3: 6.5
nvd
почти 2 года назад
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.