Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21511
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4rch-2fh8-94vw
Release Date: 2024-04-23
Fix Resolution: mysql2 - 3.9.7
CVE-2024-21508
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 55.6%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fpw7-j2hg-69v5
Release Date: 2024-04-11
Fix Resolution: mysql2 - 3.9.4
CVE-2024-21512
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 68.3%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pmh2-wpjm-fj45
Release Date: 2024-05-29
Fix Resolution: mysql2 - 3.9.8
CVE-2024-21509
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.6%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-49j4-86m8-q2jw
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.4
CVE-2024-21507
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.3%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mqr2-w7wj-jjgr
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.3
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4rch-2fh8-94vw
Release Date: 2024-04-23
Fix Resolution: mysql2 - 3.9.7
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 55.6%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fpw7-j2hg-69v5
Release Date: 2024-04-11
Fix Resolution: mysql2 - 3.9.4
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 68.3%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pmh2-wpjm-fj45
Release Date: 2024-05-29
Fix Resolution: mysql2 - 3.9.8
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.6%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-49j4-86m8-q2jw
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.4
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.3%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mqr2-w7wj-jjgr
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.3