CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
[
{
"cpes": [
"cpe:2.3:a:mysql2:mysql2:-:*:*:*:*:*:*:*"
],
"vendor": "mysql2",
"product": "mysql2",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "3.9.4",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]
blog.slonser.info/posts/mysql2-attacker-configuration/
github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
github.com/sidorares/node-mysql2/pull/2572
github.com/sidorares/node-mysql2/releases/tag/v3.9.4
security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total