MySQL2 Vulnerability - 20240605001

Overview

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables. Proof-of-Concept (PoC) exploit code is available for this vulnerability. Successful exploitation could allow remote attackers to execute arbitrary code on the server, effectively taking control of the affected application.

What is vulnerable?

CVE	Severity	CVSS	Product(s) Affected	Dated
CVE-2024-21512	High	8.2	versions of mysql2 before 3.9.8	05/29/2024

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):

• Update to mysql2 3.9.8 or higher.
• Github releases: sidorares/node-mysql2

Additional References

• snyk | Security - Prototype Pollution: Affecting mysql2 package, versions \<3.9.8
• CVE-2024-21512: MySQL2 Vulnerability Puts Millions of Downloads at Risk (securityonline.info)