{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21508", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.119Z", "datePublished": "2024-04-11T05:00:00.748Z", "dateUpdated": "2024-08-01T22:20:40.908Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"}}], "credits": [{"value": "Vsevolod Kokorin", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Remote Code Execution (RCE)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-05-05T15:25:03.937Z"}, "descriptions": [{"value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085"}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"url": "https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2572"}, {"url": "https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}], "affected": [{"product": "mysql2", "versions": [{"version": "0", "lessThan": "3.9.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"affected": [{"vendor": "mysql2", "product": "mysql2", "cpes": ["cpe:2.3:a:mysql2:mysql2:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.9.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-11T13:05:22.610894Z", "id": "CVE-2024-21508", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T20:18:04.928Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.908Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085", "tags": ["x_transferred"]}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2572", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085", "tags": ["x_transferred"]}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2572", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.908Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-11T13:05:22.610894Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mysql2:mysql2:-:*:*:*:*:*:*:*"], "vendor": "mysql2", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T20:18:01.122Z"}}], "cna": {"credits": [{"lang": "en", "value": "Vsevolod Kokorin"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.4", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085"}, {"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"url": "https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2572"}, {"url": "https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "Remote Code Execution (RCE)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-05-05T15:25:03.937Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21508", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:20:40.908Z", "dateReserved": "2023-12-22T12:33:20.119Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-04-11T05:00:00.748Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values."}, {"lang": "es", "value": "Las versiones del paquete mysql2 anteriores a la 3.9.4 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s de la funci\u00f3n readCodeFor debido a una validaci\u00f3n incorrecta de los valores supportBigNumbers y bigNumberStrings."}], "id": "CVE-2024-21508", "lastModified": "2024-04-11T12:47:44.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-04-11T05:15:47.263", "references": [{"source": "report@snyk.io", "url": "https://blog.slonser.info/posts/mysql2-attacker-configuration/"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/blob/1609b5393516d72a4ae47196837317fbe75e0c13/lib/parsers/text_parser.js%23L14C10-L14C21"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/pull/2572"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591085"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "mysql2: Remote Code Execution", "id": "2274446", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274446"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.", "A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to remote code execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21508", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-04-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21508\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21508"], "statement": "The mysql2 dependency is inherited from upstream Backstage, which is designed to support various databases. However, RHDH exclusively supports PostgreSQL for production use, so this issue doesn't impact us.", "threat_severity": "Important", "upstream_fix": "mysql2 3.9.4"}