प्लेटफ़ॉर्म
nodejs
घटक
mysql2
में ठीक किया गया
3.9.7
3.9.7
CVE-2024-21511 describes an Arbitrary Code Injection vulnerability affecting the mysql2 package. This flaw arises from inadequate sanitization of the timezone parameter within the readCodeFor function, enabling attackers to potentially execute arbitrary code by leveraging native MySQL Server date/time functions. The vulnerability impacts Node.js applications utilizing mysql2 versions before 3.9.7. A fix is available in version 3.9.7.
The Arbitrary Code Injection vulnerability in mysql2 presents a severe risk to applications relying on MySQL database connectivity. An attacker could exploit this flaw by crafting malicious timezone values that, when processed by the readCodeFor function, trigger the execution of arbitrary code on the MySQL server. This could lead to complete system compromise, including data exfiltration, modification, and denial of service. The potential blast radius extends to any sensitive data stored within the MySQL database, as well as the underlying server infrastructure. This vulnerability shares similarities with other injection flaws where improper input validation allows for the execution of unintended commands.
CVE-2024-21511 was publicly disclosed on April 23, 2024. The vulnerability's severity is rated as CRITICAL (CVSS 9.8). Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the high impact. The vulnerability is not currently listed on the CISA KEV catalog, but its criticality warrants close monitoring. Active exploitation campaigns are possible, particularly targeting applications with outdated mysql2 versions.
Node.js applications that directly interact with MySQL databases using the mysql2 package are at risk. This includes web applications, backend services, and any other systems relying on mysql2 for database connectivity. Applications with legacy configurations or those that haven't been regularly updated are particularly vulnerable.
• nodejs / server:
npm list mysql2Check the installed version of mysql2. If it's less than 3.9.7, the system is vulnerable.
• nodejs / server:
grep -r 'readCodeFor' ./node_modules/mysql2/Search for the readCodeFor function within the mysql2 module to identify potential custom implementations or modifications that might exacerbate the vulnerability.
• generic web:
Review application code for any places where timezone values are passed to MySQL queries through the mysql2 library. Look for unsanitized user input being used in timezone settings.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.13% (32% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-21511 is to immediately upgrade the mysql2 package to version 3.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the timezone parameter before passing it to the mysql2 library. While not a complete solution, this can reduce the attack surface. Additionally, review database user permissions to limit the privileges of accounts used by the application. Monitor MySQL logs for suspicious activity related to timezone parameter manipulation. After upgrading, confirm the fix by attempting to reproduce the vulnerability with a known malicious timezone string and verifying that it is properly sanitized.
Actualice el paquete mysql2 a la versión 3.9.7 o superior. Esto se puede hacer utilizando npm o yarn. Ejecute `npm install mysql2@latest` o `yarn upgrade mysql2` para actualizar a la versión más reciente que corrige la vulnerabilidad.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-21511 is a critical vulnerability in the mysql2 package where improper timezone parameter sanitization allows attackers to execute arbitrary code on the MySQL server.
You are affected if your Node.js application uses mysql2 versions prior to 3.9.7. Check your installed version with npm list mysql2.
Upgrade the mysql2 package to version 3.9.7 or later using npm install [email protected]. If upgrading is not possible, implement input validation on the timezone parameter.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest active campaigns are possible.
Refer to the official mysql2 GitHub repository and npm package page for updates and advisories related to CVE-2024-21511.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।