Versions of mysql before 2.14.0 are vulnerable to remove memory exposure.
Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.
Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions.
External Reference:
https://nodesecurity.io/advisories/602
Upstream Commit:
https://github.com/mysqljs/mysql/commit/310c6a7d1b2e14b63b572dbfbfa10128f20c6d52
Created nodejs-mysql tracking bugs for this issue:
Affects: epel-all [bug 1578236]
Affects: fedora-all [bug 1578235]
Comment 3Product Security DevOps Team
2020-05-20 21:17:25 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 4Product Security DevOps Team
2020-05-21 03:15:19 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.