The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.
These vulnerabilities have been assigned with CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.
The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor.
MySQL2 Flaw Vulnerability
According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week.
The user can utilize this library to establish a connection with their database and execute queries with it.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This particular scenario also applies to a threat actor, providing them with server-level access.
Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible.
This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.
However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.
Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.
The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.
However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.
Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.
The severity for this vulnerability was given as 6.5 (Medium).
Another vulnerability mentioned by the researcher was associated with cache poisoning.
This cache poisoning can be exploited even in stricter application configurations.
Cache Poisoning
The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.
The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.
Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.
The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.”
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP
.