Vulnerability Description
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sidorares | Mysql2 | < 3.9.3 |
Related Weaknesses (CWE)
References
- https://blog.slonser.info/posts/mysql2-attacker-configuration/ExploitPermissions Required
- https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10Patch
- https://github.com/sidorares/node-mysql2/pull/2424ExploitIssue Tracking
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300ExploitThird Party Advisory
- https://blog.slonser.info/posts/mysql2-attacker-configuration/ExploitPermissions Required
- https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10Patch
- https://github.com/sidorares/node-mysql2/pull/2424ExploitIssue Tracking
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300ExploitThird Party Advisory
FAQ
What is CVE-2024-21507?
CVE-2024-21507 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character w...
How severe is CVE-2024-21507?
CVE-2024-21507 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21507?
Check the references section above for vendor advisories and patch information. Affected products include: Sidorares Mysql2.