CVE-2024-21508

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Configurations

No configuration.

History

21 Nov 2024, 08:54

Type Values Removed Values Added
References () https://blog.slonser.info/posts/mysql2-attacker-configuration/ - () https://blog.slonser.info/posts/mysql2-attacker-configuration/ -
References () https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21 - () https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21 -
References () https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805 - () https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805 -
References () https://github.com/sidorares/node-mysql2/pull/2572 - () https://github.com/sidorares/node-mysql2/pull/2572 -
References () https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 - () https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 -
References () https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085 - () https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085 -

11 Apr 2024, 12:47

Type Values Removed Values Added
Summary
  • (es) Las versiones del paquete mysql2 anteriores a la 3.9.4 son vulnerables a la ejecución remota de código (RCE) a través de la función readCodeFor debido a una validación incorrecta de los valores supportBigNumbers y bigNumberStrings.

11 Apr 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-11 05:15

Updated : 2024-11-21 08:54


NVD link : CVE-2024-21508

Mitre link : CVE-2024-21508

CVE.ORG link : CVE-2024-21508


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')