Cache Poisoning Vulnerability in mysql2 Before 3.9.3
CVE-2024-21507

6.5MEDIUM

Key Information:

Vendor: mysql
Status: Mysql2
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-21507?

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Affected Version(s)

mysql2 0 < 3.9.3

References

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591300

https://github.com/sidorares/node-mysql2/commit/0d54b0ca6...

https://blog.slonser.info/posts/mysql2-attacker-configura...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Vsevolod Kokorin (Slonser)