Vulnerability

CVE-2024-21511

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-94

References

https://github.com/sidorares/node-mysql2/pull/2608
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21511

[CVE-2024-21511] CWE-94: Improper Control of Generation of Code ('Code Injection')

Description

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See mysql2 package information