Vulnerability in mysql2 Prior to 3.9.8 Due to Prototype Pollution
CVE-2024-21512

8.2HIGH

Key Information:

Vendor: mysql
Status: Mysql2; Org.webjars.npm:mysql2
Vendor: CVE Published:; 29 May 2024

Badges

🟣 EPSS 62%📰 News Worthy

What is CVE-2024-21512?

The vulnerability CVE-2024-21512 is found in the mysql2 package prior to version 3.9.8, and it is due to prototype pollution. This vulnerability can be exploited by adding or modifying properties of Object.prototype using a proto or constructor payload, allowing an attacker to execute arbitrary code or cause a denial of service condition on the system. The affected vendor is Node.js MySQL2 3.9.7, and the recommended action is to upgrade to the latest version available from the MySQL2 GIT Repository. Currently, there are no known exploits of this vulnerability in the wild.

Affected Version(s)

mysql2 0 < 3.9.8

org.webjars.npm:mysql2 0

News Articles

Rewterz

CVE-2024-21512

CVE-2024-21512 – Node.js MySQL2 Vulnerability - Rewterz

Node.js MySQL2 module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in nestTables.

References

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-717...

https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87...

EPSS Score

62% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by Rewterz
Jun 3, 2024
Vulnerability published
May 29, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Donggyu Kim