{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21509", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.119Z", "datePublished": "2024-04-10T05:00:00.795Z", "dateUpdated": "2024-08-22T13:11:18.154Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P"}}], "credits": [{"value": "Vsevolod Kokorin", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "Prototype Poisoning", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-04-10T05:00:00.795Z"}, "descriptions": [{"value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"}, {"url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2574"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}], "affected": [{"product": "mysql2", "versions": [{"version": "0", "lessThan": "3.9.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.966Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084", "tags": ["x_transferred"]}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2574", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "affected": [{"vendor": "mysqljs", "product": "mysql2", "cpes": ["cpe:2.3:a:mysqljs:mysql2:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.9.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T13:08:47.484217Z", "id": "CVE-2024-21509", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:11:18.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084", "tags": ["x_transferred"]}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2574", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.966Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21509", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T13:08:47.484217Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mysqljs:mysql2:*:*:*:*:*:*:*:*"], "vendor": "mysqljs", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:11:14.448Z"}}], "cna": {"credits": [{"lang": "en", "value": "Vsevolod Kokorin"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.4", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"}, {"url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2574"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1321", "description": "Prototype Poisoning"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-04-10T05:00:00.795Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21509", "state": "PUBLISHED", "dateUpdated": "2024-08-22T13:11:18.154Z", "dateReserved": "2023-12-22T12:33:20.119Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-04-10T05:00:00.795Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sidorares:mysql2:*:*:*:*:*:*:*:*", "matchCriteriaId": "A83DB932-97B6-4BB5-BCA9-269B9FE80687", "versionEndExcluding": "3.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js."}, {"lang": "es", "value": "Las versiones del paquete mysql2 anteriores a la 3.9.4 son vulnerables al envenenamiento de prototipos debido a la creaci\u00f3n insegura de objetos de resultados y a una desinfecci\u00f3n inadecuada de las entradas del usuario pasadas a trav\u00e9s de parserFn en text_parser.js y binario_parser.js."}], "id": "CVE-2024-21509", "lastModified": "2025-06-17T18:15:19.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-04-10T05:15:48.547", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Permissions Required"], "url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/sidorares/node-mysql2/pull/2574"}, {"source": "report@snyk.io", "tags": ["Release Notes"], "url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Permissions Required"], "url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/sidorares/node-mysql2/pull/2574"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "mysql2: Prototype Poisoning", "id": "2274489", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274489"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-1321", "details": ["Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.", "A prototype pollution vulnerability was found in mysql2. Insecure results in object creation and improper user input sanitization can lead to prototype poisoning."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21509", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21509\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21509\nhttps://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691\nhttps://github.com/sidorares/node-mysql2/pull/2574\nhttps://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"], "threat_severity": "Moderate"}