2274446 – (CVE-2024-21508) CVE-2024-21508 mysql2: Remote Code Execution

Bug 2274446 (CVE-2024-21508) - CVE-2024-21508 mysql2: Remote Code Execution

Summary: CVE-2024-21508 mysql2: Remote Code Execution

Keywords:
Status:	NEW
Alias:	CVE-2024-21508
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2274447
TreeView+	depends on / blocked

Reported:	2024-04-11 05:45 UTC by Avinash Hanwate
Modified:	2024-04-19 08:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mysql2 3.9.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to remote code execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-04-11 05:45:45 UTC

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
https://github.com/sidorares/node-mysql2/pull/2572
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085

Note You need to log in before you can comment on or make changes to this bug.