mysql

Remote Memory Exposure

Severity: moderate

Overview

Versions of mysql before 2.14.0 are vulnerable to remove memory exposure.

Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.

Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions.

Proof of Concept:

require('mysql').createConnection({
  host: 'localhost',
  user: 'user',
  password : USERPROVIDEDINPUT,  // number
  database : 'my_db'
}).connect();

Remediation

Update to version 2.14.0 or later.

Vulnerable versions

2.0.0-preview
6 years ago
2.0.0-alpha8
5 years ago
2.0.0-alpha9
5 years ago
2.0.0-rc1
5 years ago
2.0.0-rc2
5 years ago
2.0.0
5 years ago
2.0.1
5 years ago
2.1.0
4 years ago
2.1.1
4 years ago
2.2.0
4 years ago
2.3.0
4 years ago
2.3.1
4 years ago
2.3.2
4 years ago
2.4.0
4 years ago
2.4.1
4 years ago
2.4.2
4 years ago
2.4.3
4 years ago
2.5.0
4 years ago
2.5.1
4 years ago
2.5.2
4 years ago
2.5.3
4 years ago
2.5.4
4 years ago
2.5.5
3 years ago
2.6.0
3 years ago
2.6.1
3 years ago
2.6.2
3 years ago
2.7.0
3 years ago
2.8.0
3 years ago
2.9.0
3 years ago
2.10.0
3 years ago
2.10.1
3 years ago
2.10.2
3 years ago
2.11.0
2 years ago
2.11.1
2 years ago
2.12.0
2 years ago
2.13.0
2 years ago

Unaffected versions

0.1.0
8 years ago
0.2.0
8 years ago
0.3.0
8 years ago
0.4.0
8 years ago
0.5.0
8 years ago
0.6.0
8 years ago
0.7.0
8 years ago
0.8.0
8 years ago
0.9.0
8 years ago
0.9.1
7 years ago
0.9.2
7 years ago
0.9.3
7 years ago
0.9.4
7 years ago
0.9.5
7 years ago
0.9.6
6 years ago
2.0.0-alpha
6 years ago
2.0.0-alpha2
6 years ago
2.0.0-alpha3
6 years ago
2.0.0-alpha4
6 years ago
2.0.0-alpha5
6 years ago
2.0.0-alpha6
6 years ago
2.0.0-alpha7
6 years ago
2.14.0
a year ago
2.14.1
a year ago
2.15.0
10 months ago
2.16.0
a month ago

Resources

Advisory timeline

  1. Published

    Advisory published
    Apr 25th, 2018
  2. Reported

    Initial report by Сковорода Никита Андреевич
    Apr 24th, 2018