PyPI: mysql-connector-python
CVE-2022-21824
Safety vulnerability ID: SFTY-20220224-69005
Safety legacy ID: pyup.io-62741
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Overview
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Advisory
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20220224-69005/CVE-2022-21824
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
- https://github.com/nodejs/node/commit/be69403528
- https://hackerone.com/reports/1431042
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824
- https://nvd.nist.gov/vuln/detail/CVE-2022-21824
- https://security-tracker.debian.org/tracker/CVE-2022-21824
- https://security.netapp.com/advisory/ntap-20220325-0007/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5170
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more