Remote Code Execution Vulnerability in mysql2 Prior to 3.9.4
CVE-2024-21508

9.8CRITICAL

Key Information:

Vendor: mysql
Status: Mysql2
Vendor: CVE Published:; 11 April 2024

Badges

📰 News Worthy

What is CVE-2024-21508?

The MySQL2 package, commonly used in Node.js applications for interacting with MySQL databases, contains a vulnerability that allows Remote Code Execution (RCE). This issue arises from inadequate validation of the input parameters 'supportBigNumbers' and 'bigNumberStrings' within the 'readCodeFor' function. When these parameters are not properly validated, it opens up a potential attack vector, allowing unauthorized users to execute arbitrary code on the server where MySQL2 is implemented. Users and developers are urged to upgrade to version 3.9.4 or later to mitigate this threat and enhance their security posture.

Affected Version(s)

mysql2 0 < 3.9.4

News Articles

prophaze.com

CVE-2024-21508

CVE-2024-21508 : MYSQL2 UP TO 3.9.3 READCODEFOR BIGNUMBERSTRINGS CODE INJECTION - Cloud WAF

CVE-2024-21508 : Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

References

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085

https://blog.slonser.info/posts/mysql2-attacker-configura...

https://github.com/sidorares/node-mysql2/blob/1609b539351...

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by prophaze.com
Apr 11, 2024
Vulnerability published
Apr 11, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Vsevolod Kokorin