Remote Memory Exposure

Module: mysql

Published: April 25th, 2018

Reported by: Сковорода Никита Андреевич

CVE-NONE

CWE-CWE-20

Vulnerable: >=2.0.0-alpha8 <=2.0.0-rc2 || >=2.0.0 <=2.13.0
Patched: >=2.14.0

Overview

Versions of mysql before 2.14.0 are vulnerable to remove memory exposure.

Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.

Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions.

Proof of Concept:

require('mysql').createConnection({
  host: 'localhost',
  user: 'user',
  password : USERPROVIDEDINPUT,  // number
  database : 'my_db'
}).connect();

Remediation

Update to version 2.14.0 or later.

References

Commit #310c6a7