Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.

These vulnerabilities have been assigned with CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.

The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor. 

MySQL2 Flaw Vulnerability

According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week. 

The user can utilize this library to establish a connection with their database and execute queries with it.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

This particular scenario also applies to a threat actor, providing them with server-level access.

Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible. 

CVE-2024-21508 & CVE-2024-21511

This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.

However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.

Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.

The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.

However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.

CVE-2024-21509 – Prototype Pollution

Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.

The severity for this vulnerability was given as 6.5 (Medium).

Another vulnerability mentioned by the researcher was associated with cache poisoning.

This cache poisoning can be exploited even in stricter application configurations. 

Cache Poisoning

The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.

The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.

Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.

The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.”

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

15 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

15 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

15 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

15 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago