Vulnerability

CVE-2024-21507

 Report advisory or correction

CVSS Score 5.3 medium

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-20

References

https://blog.slonser.info/posts/mysql2-attacker-configuration/#:~:text=also%20gain%20RCE.-,Cache%20Poisoning,-The%20next%20vulnerability
https://github.com/sidorares/node-mysql2/pull/2424
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.3
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21507

[CVE-2024-21507] CWE-20: Improper Input Validation

Description

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See mysql2 package information