Database

In NocoDB version starting from 0.202.6 and prior to version 0.202.10 a medium severity vulnerability CVE-2023-50717 was detected. Attackers can upload harmful HTML files, causing a cross-site scripting attack when opened in a browser. This allowed attackers to run JavaScript in the user’s context, possibly performing actions or stealing information. Version 0.202.10 fixes this issue. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-50717.

In MongoDB Server versions 5.0.x up to 5.0.16 and 6.0.x up to 6.0.5 a medium severity vulnerability CVE-2024-3374 was detected. This vulnerability lets unauthorized users crash the server by creating a large BSON object during diagnostic metrics generation. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3374.

In NocoDB versions 0.202.9 and prior a medium severity vulnerability CVE-2023-50718 was detected. This vulnerability allows attackers with created access to attack the database. To address this issue, users need to update to version 0.202.10. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-50718/.

In MySQL Cluster versions 7.5.33 and prior, 7.6.29 and prior, 8.0.36 and prior and 8.3.0 and prior a low severity vulnerability CVE-2024-21101 was detected. High-privileged attackers with network access can exploit this vulnerability to read some data in the MySQL Cluster without authorization. Currently, there is no fix version for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-21101/.

In the MySQL Server product of Oracle MySQL in versions 8.0.34 and prior a medium-severity vulnerability CVE-2024-21053 was detected. It allows high-privileged attackers with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or crash of MySQL Server. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-21053/.

In ‘bson’ module of MongoDB version 4.6.2 a medium severity vulnerability CVE-2024-5629 was detected. This vulnerability allows attackers to have an access to the application memory. There are no solutions for this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5629/.

In pgAdmin versions before 8.4 a critical severity vulnerability CVE-2024-2044 was detected. Unauthenticated attackers can execute code by loading and deserializing remote pickle objects on Windows servers, while authenticated attackers on POSIX/Linux servers can upload and deserialize pickle objects to gain code execution. The issue is fixed in versions 8.4 or higher. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2044/.

In pgAdmin version 8.4 and earlier a high severity vulnerability CVE-2024-3116 was detected. It allows attackers to run harmful code on the server, endangering the integrity of the database system and the safety of your data. To address this issue, users are advised to update pgAdmin to version 8.5 or later. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3116/.

Critical Directus vulnerability in password reset processes, potentially allowing attackers to redirect reset emails. Stemming from MySQL and MariaDB’s handling of email character variations, this flaw posed a serious security risk. Fortunately, Directus’s quick fix in version 10.8.3 underlines the importance of system updates for security. This incident stresses the need for IT professionals to maintain vigilance, update regularly, and foster a culture of security awareness to protect against evolving cyber threats.