CVE-2024-21509

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-21509

CGA ID

CGA-c29j-944x-2v7x

Severity

6.5

Medium

CVSS V3

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

References

https://images.chainguard.dev/security/CGA-c29j-944x-2v7x
https://github.com/advisories/GHSA-49j4-86m8-q2jw
https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691
https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134
https://github.com/sidorares/node-mysql2/pull/2574
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2024-21509

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources