{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21511", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.120Z", "datePublished": "2024-04-23T05:00:00.602Z", "dateUpdated": "2024-08-01T22:20:40.911Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"}}], "credits": [{"value": "zhaoyudi (Nebulalab)", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Arbitrary Code Injection", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-05-08T09:07:06.904Z"}, "descriptions": [{"value": "Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2608"}, {"url": "https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713"}], "affected": [{"product": "mysql2", "versions": [{"version": "0", "lessThan": "3.9.7", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21511", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-25T14:55:36.593699Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mysql2:mysql2:-:*:*:*:*:*:*:*"], "vendor": "mysql2", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.7", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:38:16.126Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.911Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2608", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/pull/2608", "tags": ["x_transferred"]}, {"url": "https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.911Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21511", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-25T14:55:36.593699Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mysql2:mysql2:-:*:*:*:*:*:*:*"], "vendor": "mysql2", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.7", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-23T12:56:05.992Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"credits": [{"lang": "en", "value": "zhaoyudi (Nebulalab)"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "mysql2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.7", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046"}, {"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7"}, {"url": "https://github.com/sidorares/node-mysql2/pull/2608"}, {"url": "https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713"}], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "Arbitrary Code Injection"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-05-08T09:07:06.904Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21511", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:20:40.911Z", "dateReserved": "2023-12-22T12:33:20.120Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-04-23T05:00:00.602Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function."}, {"lang": "es", "value": "Las versiones del paquete mysql2 anteriores a la 3.9.7 son vulnerables a la inyecci\u00f3n de c\u00f3digo arbitrario debido a una sanitizaci\u00f3n inadecuada del par\u00e1metro de zona horaria en la funci\u00f3n readCodeFor al llamar a una funci\u00f3n de fecha/hora nativa del servidor MySQL."}], "id": "CVE-2024-21511", "lastModified": "2024-04-23T12:52:09.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-04-23T05:15:48.963", "references": [{"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/pull/2608"}, {"source": "report@snyk.io", "url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "mysql2: Arbitrary Code Injection due to improper sanitization of the timezone parameter", "id": "2276801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276801"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.", "A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to arbitrary code injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function."], "name": "CVE-2024-21511", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-04-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21511\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21511\nhttps://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046"], "threat_severity": "Important", "upstream_fix": "mysql2 3.9.7"}