Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVmN20tbW1wYy1xaGg0
mysql Node.JS Module Vulnerable to Remote Memory Exposure
Versions of mysql
before 2.14.0 are vulnerable to remove memory exposure.
Affected versions of mysql
package allocate and send an uninitialized memory over the network when a number is provided as a password.
Only mysql
running on Node.js versions below 6.0.0 are affected due to a throw added in newer node.js versions.
Proof of Concept:
require('mysql').createConnection({
host: 'localhost',
user: 'user',
password : USERPROVIDEDINPUT, // number
database : 'my_db'
}).connect();
Recommendation
Update to version 2.14.0 or later.
Permalink: https://github.com/advisories/GHSA-5f7m-mmpc-qhh4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVmN20tbW1wYy1xaGg0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-5f7m-mmpc-qhh4
References:
- https://github.com/mysqljs/mysql/commit/310c6a7d1b2e14b63b572dbfbfa10128f20c6d52
- https://www.npmjs.com/advisories/602
- https://github.com/mysqljs/mysql/commit/192fe45593ba5768534afb6f2154432ca67a5002
- https://github.com/advisories/GHSA-5f7m-mmpc-qhh4
Blast Radius: 0.0
Affected Packages
npm:mysql
Dependent packages: 7,977Dependent repositories: 189,209
Downloads: 3,883,242 last month
Affected Version Ranges: >= 2.0.0-alpha8, < 2.14.0
Fixed in: 2.14.0
All affected versions: 2.0.0, 2.0.0-alpha8, 2.0.0-alpha9, 2.0.0-rc1, 2.0.0-rc2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.12.0, 2.13.0
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.17.0, 2.17.1, 2.18.0, 2.18.1