Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21508
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508
Release Date: 2024-04-11
Fix Resolution: mysql2 - 3.9.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-21509
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-21507
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-21511
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Vulnerability Details
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511
Release Date: 2024-04-23
Fix Resolution: mysql2 - 3.9.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-21512
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
- ❌ mysql2-1.7.0.tgz (Vulnerable Library)
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Vulnerability Details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-29
Fix Resolution: mysql2 - 3.9.8
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508
Release Date: 2024-04-11
Fix Resolution: mysql2 - 3.9.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507
Release Date: 2024-04-10
Fix Resolution: mysql2 - 3.9.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Vulnerability Details
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511
Release Date: 2024-04-23
Fix Resolution: mysql2 - 3.9.7
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - mysql2-1.7.0.tgz
fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mysql2/package.json
Dependency Hierarchy:
Found in HEAD commit: a8c329a3af185a914e5bb0f48e708b10999e5581
Found in base branch: master
Vulnerability Details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-05-29
Fix Resolution: mysql2 - 3.9.8
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.