Arbitrary Code Injection Vulnerability in mysql2 Before 3.9.7
CVE-2024-21511

9.8CRITICAL

Key Information:

Vendor: mysql
Status: Mysql2
Vendor: CVE Published:; 23 April 2024

What is CVE-2024-21511?

Versions of the mysql2 package prior to 3.9.7 have a significant vulnerability that allows for arbitrary code injection. This arises from the improper sanitization of the timezone parameter within the readCodeFor function, which interacts with native MySQL Server date and time functions. Exploiting this vulnerability may enable an attacker to execute arbitrary code on the server, potentially compromising the security of applications utilizing this package.

Affected Version(s)

mysql2 0 < 3.9.7

References

https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046

https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7

https://github.com/sidorares/node-mysql2/pull/2608

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

zhaoyudi (Nebulalab)