GitHub Advisory DatabaseGHSA-FPW7-J2HG-69V5mysql2 Remote Code Execution (RCE) via the readCodeFor function
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Affected configurations
References
blog.slonser.info/posts/mysql2-attacker-configuration
github.com/advisories/GHSA-fpw7-j2hg-69v5
github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
github.com/sidorares/node-mysql2/pull/2572
github.com/sidorares/node-mysql2/releases/tag/v3.9.4
nvd.nist.gov/vuln/detail/CVE-2024-21508
security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%