Bug 2274446 (CVE-2024-21508)

Summary: CVE-2024-21508 mysql2: Remote Code Execution
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jchui, ktsao, nboldt, rtaniwa, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql2 3.9.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to remote code execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2274447    

Description Avinash Hanwate 2024-04-11 05:45:45 UTC 
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
https://github.com/sidorares/node-mysql2/pull/2572
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085