Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cmNoLTJmaDgtOTR2d84AA7Pp
MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Permalink: https://github.com/advisories/GHSA-4rch-2fh8-94vwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cmNoLTJmaDgtOTR2d84AA7Pp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4rch-2fh8-94vw, CVE-2024-21511
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21511
- https://github.com/sidorares/node-mysql2/pull/2608
- https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
- https://github.com/advisories/GHSA-4rch-2fh8-94vw
Blast Radius: 50.0
Affected Packages
npm:mysql2
Dependent packages: 4,001Dependent repositories: 126,697
Downloads: 11,613,565 last month
Affected Version Ranges: < 3.9.7
Fixed in: 3.9.7
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17, 0.8.18, 0.8.19, 0.8.20, 0.8.21, 0.9.1, 0.9.2, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.13.0, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6
All unaffected versions: 3.9.7, 3.9.8, 3.9.9, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4