PyPI: mysql-connector-python
CVE-2024-21272
Safety vulnerability ID: SFTY-20241015-30374
Safety legacy ID: pyup.io-78798
Affected versions of the mysql-connector-python package are vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands. The connector’s SQL-handling logic in the Connector/Python module fails to sanitize user-controlled input passed to internal SQL execution routines, allowing injection of malicious SQL syntax. An attacker with network access and low privileges can exploit this by crafting input that alters connector-issued queries, potentially enabling takeover of MySQL Connector/Python processes with full confidentiality, integrity, and availability impact.
Overview
MySQL Connector/Python connector takeover vulnerability
Advisory
Affected versions of the mysql-connector-python package are vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands. The connector’s SQL-handling logic in the Connector/Python module fails to sanitize user-controlled input passed to internal SQL execution routines, allowing injection of malicious SQL syntax. An attacker with network access and low privileges can exploit this by crafting input that alters connector-issued queries, potentially enabling takeover of MySQL Connector/Python processes with full confidentiality, integrity, and availability impact.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20241015-30374/CVE-2024-21272
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21272
- https://github.com/advisories/GHSA-hgjp-83m4-h4fj
- https://nvd.nist.gov/vuln/detail/CVE-2024-21272
- https://www.oracle.com/security-alerts/cpuoct2024.html
- https://github.com/mysql/mysql-connector-python/commit/e6b927af06e8a85bd3754f602df96a5592b4558c
- https://github.com/advisories/GHSA-hgjp-83m4-h4fj
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more