VDB
CVE-2024-21511
CVE-2024-21511
PUBLISHED
CVSS 9.800000190734863 CRITICAL
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
EPSS 0.17% · 38.3th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
EPSS Score
0.17%
38.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | mysql2 | 0 |
| mysql2 | mysql2 | 0 |
| npm | mysql2 | 0 |
Timeline
- Apr 23, 2024 CVE Published
- Apr 23, 2024 EPSS Score
- May 18, 2024 EPSS Score
- Jun 12, 2024 EPSS Score
- Jul 31, 2024 EPSS Score
- Aug 25, 2024 EPSS Score
- Sep 19, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 13, 2024 EPSS Score
- Nov 7, 2024 EPSS Score
- Dec 27, 2024 EPSS Score
- Jan 21, 2025 EPSS Score
References
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046 url
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7 url
- https://github.com/sidorares/node-mysql2/pull/2608 url
- https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21511 advisory
- https://github.com/sidorares/node-mysql2 package