ГлавнаяУязвимости → CVE-2024-21508
9.8критическая

CVE-2024-21508

Описание

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805https://github.com/sidorares/node-mysql2/pull/2572https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085https://blog.slonser.info/posts/mysql2-attacker-configuration/https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21