The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.
These vulnerabilities have been assigned with CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.
The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor.
According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week.
The user can utilize this library to establish a connection with their database and execute queries with it.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This particular scenario also applies to a threat actor, providing them with server-level access.
Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible.
This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.
However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.
Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.
The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.
However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.
Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.
The severity for this vulnerability was given as 6.5 (Medium).
Another vulnerability mentioned by the researcher was associated with cache poisoning.
This cache poisoning can be exploited even in stricter application configurations.
The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.
The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.
Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.
The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.”
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…