CVE-2019-14939
Setting Misconfiguration vulnerability in mysql (npm)
What is CVE-2019-14939 About?
This vulnerability involves a setting misconfiguration in the mysql (mysqljs) module for Node.js, where the `LOAD DATA LOCAL INFILE` option is open by default. This misconfiguration can lead to information disclosure or arbitrary file read, and exploitation is relatively straightforward due to the default setting.
Affected Software
Technical Details
The vulnerability exists in the mysql (mysqljs) module, version 2.17.1 for Node.js, due to the LOAD DATA LOCAL INFILE option being enabled by default. This option, when active, allows a malicious MySQL server or an attacker with control over the server to read local files from the client machine connecting to it. When a client connects to such a server, the server can send a request to the client to send the content of a local file, specified by the server. Since the option is open by default, clients connecting to untrusted or compromised MySQL servers are susceptible to having their local files exfiltrated without explicit configuration changes by the user.
What is the Impact of CVE-2019-14939?
Successful exploitation may allow attackers to disclose sensitive information, read arbitrary files from the client's file system, and potentially gain unauthorized access.
What is the Exploitability of CVE-2019-14939?
Exploitation of this vulnerability is of medium complexity, requiring the attacker to either control a malicious MySQL server or compromise an existing one. No authentication is strictly required on the client side beyond establishing a connection. The attack is remote, as it occurs over the network when a vulnerable client connects to a malicious server. The primary risk factor is connecting Node.js applications using the vulnerable mysqljs module to untrusted or compromised MySQL databases without properly disabling the LOAD DATA LOCAL INFILE option. No special privileges are required on the client machine itself, as the vulnerability leverages the client's default configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14939?
Available Upgrade Options
- mysql
- >2.17.1, <2.18.0 → Upgrade to 2.18.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-f982-mxwc-3mrx
- https://web.archive.org/web/20190812004403/https://github.com/mysqljs/mysql/issues/2257
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934712>
- https://github.com/mysqljs/mysql/issues/2471
- https://github.com/mysqljs/mysql/issues/2257
- https://github.com/mysqljs/mysql
- https://nvd.nist.gov/vuln/detail/CVE-2019-14939
- https://github.com/mysqljs/mysql/commit/337e87ae5fcea3667864197c65dc758517fcde06
What are Similar Vulnerabilities to CVE-2019-14939?
Similar Vulnerabilities: CVE-2023-21966 , CVE-2021-36203 , CVE-2017-3599 , CVE-2016-5620 , CVE-2015-0457
