Unauthorized SSL Connection due to lack of cert authentication

Affecting mysql package, versions <2.3.0 >=2.0.0

Do your applications use this vulnerable package? Test your applications

Overview

mysql is a node.js driver for mysql. Affected versions of this package do not validate that the remote server has a trusted SSL certificate or not, making it easier for attackers to gain access to the MySQL Server.

Remediation

Upgrade mysql to version 2.3.0 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Douglas Wilson
CWE
CWE-285
Snyk ID
npm:mysql:20140514
Disclosed
13 May, 2014
Published
04 Jan, 2017