CVE-2024-21508

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-21508

CGA ID

CGA-9p5m-2fmv-28g4

Severity

9.8

Critical

CVSS V3

Description

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

References

https://images.chainguard.dev/security/CGA-9p5m-2fmv-28g4
https://github.com/advisories/GHSA-fpw7-j2hg-69v5
https://blog.slonser.info/posts/mysql2-attacker-configuration/
https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805
https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21
https://github.com/sidorares/node-mysql2/pull/2572
https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4
https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2024-21508

Severity

Description

References

Affected packages

Product

Why Chainguard

Customers

Company

Resources