CVE-2024-21511: MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
References
- github.com/advisories/GHSA-4rch-2fh8-94vw
- github.com/sidorares/node-mysql2
- github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
- github.com/sidorares/node-mysql2/pull/2608
- github.com/sidorares/node-mysql2/releases/tag/v3.9.7
- nvd.nist.gov/vuln/detail/CVE-2024-21511
- security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
Detect and mitigate CVE-2024-21511 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →