Vulnerability Description
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe7
- https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b4965
- https://github.com/sidorares/node-mysql2/pull/2572
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
- https://blog.slonser.info/posts/mysql2-attacker-configuration/
- https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe7
- https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b4965
- https://github.com/sidorares/node-mysql2/pull/2572
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085
FAQ
What is CVE-2024-21508?
CVE-2024-21508 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
How severe is CVE-2024-21508?
CVE-2024-21508 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-21508?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.