Bug 2276801 (CVE-2024-21511)

Summary: CVE-2024-21511 mysql2: Arbitrary Code Injection due to improper sanitization of the timezone parameter
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cdaley, jchui, ktsao, nboldt, rtaniwa, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql2 3.9.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to arbitrary code injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-24 12:57:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2276802    

Description Avinash Hanwate 2024-04-24 04:37:17 UTC 
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
https://github.com/sidorares/node-mysql2/pull/2608
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046