Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21511
### Vulnerable Library - mysql2-3.1.0.tgzLibrary home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy: - :x: **mysql2-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
### Vulnerability DetailsVersions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511
Release Date: 2024-04-23
Fix Resolution: 3.9.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-21508
### Vulnerable Library - mysql2-3.1.0.tgzLibrary home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy: - :x: **mysql2-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
### Vulnerability DetailsVersions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508
Release Date: 2024-04-11
Fix Resolution: 3.9.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-21512
### Vulnerable Library - mysql2-3.1.0.tgzLibrary home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy: - :x: **mysql2-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
### Vulnerability DetailsVersions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-05-29
Fix Resolution: 3.9.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-21509
### Vulnerable Library - mysql2-3.1.0.tgzLibrary home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy: - :x: **mysql2-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
### Vulnerability DetailsVersions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509
Release Date: 2024-04-10
Fix Resolution: 3.9.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-21507
### Vulnerable Library - mysql2-3.1.0.tgzLibrary home page: https://registry.npmjs.org/mysql2/-/mysql2-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy: - :x: **mysql2-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e
Found in base branch: main
### Vulnerability DetailsVersions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507
Release Date: 2024-04-10
Fix Resolution: 3.9.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.