Skip to content

Invalidate CVE-2022-21824 in pypi/mysql-connector-python and maven/mysql-connector-java

The description CVE-2022-21824 at https://nvd.nist.gov/vuln/detail/CVE-2022-21824 is:

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

So it's definitely a problem with nodejs. The hackerone report at https://hackerone.com/reports/1431042 which initiated this CVE confirms that it's a nodejs issue.

Therefore, it should not be reported as a vulnerability against pypi/mysql-connector-python or maven/mysql-connector-java which have nothing to do with nodejs.

In an effort to fix the problem at the source, I emailed soc@us-cert.gov:

Subject: CVE-2022-21824 contains references to irrelevant software

Message:

The description CVE-2022-21824 at https://nvd.nist.gov/vuln/detail/CVE-2022-21824 is:
>  Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

So it's definitely a problem with nodejs. The hackerone report at https://hackerone.com/reports/1431042 which initiated this CVE confirms that it's a nodejs issue.

However, https://nvd.nist.gov/vuln/detail/CVE-2022-21824 lists a number of configurations that are I know are not node, do not depend on node, and do not have anything to do with node, including:
cpe:/a:oracle:mysql_cluster
cpe:/a:oracle:mysql_connectors
cpe:/a:oracle:mysql_enterprise_monitor
cpe:/a:oracle:mysql_server
cpe:/a:oracle:mysql_workbench

I'm not familiar with the following software, but also suspect that they don't use node and therefore are not impacted by CVE-2022-21824:
cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58
cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59
cpe:/a:netapp:oncommand_insight:-
cpe:/a:netapp:oncommand_workflow_automation:-
cpe:/a:netapp:snapcenter:-

Can you please fix the CVE listing, removing reference to software that are not impacted?

I noticed this issue because tools are reporting CVE-2022-21824 against mysql-connector-java, which clearly is not impacted by this vulnerability. For example: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/0eb4008afde8f2ebb7353b2a7cffb720254bacc2/maven/mysql-connector-java/CVE-2022-21824.yml

References:
https://hackerone.com/reports/1431042 says this vulnerability is in nodejs
https://security-tracker.debian.org/tracker/CVE-2022-21824 lists only nodejs, and no other software, as being vulnerable
https://www.mend.io/vulnerability-database/CVE-2022-21824 lists only nodejs, and no other software, as being vulnerable
https://ubuntu.com/security/CVE-2022-21824 lists only nodejs, and no other software, as being vulnerable
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-21824 lists only nodejs, and no other software, as being vulnerable
https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-2332186 lists only nodejs, and no other software, as being vulnerable

Thank you,
~Craig Andrews
Edited by Craig Andrews

Merge request reports

Loading