[NPM:GHSA-4RCH-2FH8-94VW] MySQL2 for Node Arbitrary Code Injection

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Package	Affected Version
pkg:npm/mysql2	< 3.9.7

Package	Fixed Version
pkg:npm/mysql2	= 3.9.7

ID: NPM:GHSA-4RCH-2FH8-94VW
Severity: critical
URL: https://github.com/advisories/GHSA-4rch-2fh8-94vw
Published: 2024-04-23T06:30:47
(3 months ago)
Modified: 2024-04-23T20:50:58
(3 months ago)
Rights: NPM Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-21511
			https://github.com/sidorares/node-mysql2/pull/2608
			https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
			https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
			https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
			https://github.com/advisories/GHSA-4rch-2fh8-94vw

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/mysql2		mysql2	< 3.9.7
Fixed	pkg:npm/mysql2		mysql2	= 3.9.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date