2274444 – (CVE-2024-21507) CVE-2024-21507 mysql2: Improper Input Validation

Bug 2274444 (CVE-2024-21507) - CVE-2024-21507 mysql2: Improper Input Validation

Summary: CVE-2024-21507 mysql2: Improper Input Validation

Keywords:
Status:	NEW
Alias:	CVE-2024-21507
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2274445
TreeView+	depends on / blocked

Reported:	2024-04-11 05:42 UTC by Avinash Hanwate
Modified:	2024-04-18 06:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mysql2 3.9.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to improper input validation through the keyFromFields function, resulting in cache poisoning. This flaw allows an attacker to inject a colon (:) character within a value of the attacker-crafted key.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-04-11 05:42:14 UTC

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818
https://github.com/sidorares/node-mysql2/pull/2424
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300

Note You need to log in before you can comment on or make changes to this bug.