CVE-2024-21507

Опубликовано: 10 апр. 2024

Источник: nvd

CVSS3: 6.5

CVSS3: 5.3

EPSS Низкий

Описание

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Ссылки

https://blog.slonser.info/posts/mysql2-attacker-configuration/
Exploit
Permissions Required
https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
Patch
https://github.com/sidorares/node-mysql2/pull/2424
Exploit
Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300
Exploit
Third Party Advisory
https://blog.slonser.info/posts/mysql2-attacker-configuration/
Exploit
Permissions Required
https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
Patch
https://github.com/sidorares/node-mysql2/pull/2424
Exploit
Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sidorares:mysql2:*:*:*:*:*:*:*:*

Версия до 3.9.3 (исключая)

EPSS

Процентиль: 55%

0.00322

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-20

Связанные уязвимости

CVE-2024-21507

CVSS3: 6.5

redhat

почти 2 года назад

GHSA-mqr2-w7wj-jjgr

CVSS3: 6.5

github

почти 2 года назад

mysql2 cache poisoning vulnerability

EPSS

Процентиль: 55%

0.00322

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-20