Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
References
Configurations
No configuration.
History
21 Nov 2024, 08:54
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.slonser.info/posts/mysql2-attacker-configuration/ - | |
References | () https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21 - | |
References | () https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805 - | |
References | () https://github.com/sidorares/node-mysql2/pull/2572 - | |
References | () https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4 - | |
References | () https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085 - |
11 Apr 2024, 12:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
11 Apr 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-11 05:15
Updated : 2024-11-21 08:54
NVD link : CVE-2024-21508
Mitre link : CVE-2024-21508
CVE.ORG link : CVE-2024-21508
JSON object : View
Products Affected
No product.
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')