CVE-2024-21511
Arbitrary Code Injection vulnerability in mysql2 (npm)
What is CVE-2024-21511 About?
This vulnerability allows for Arbitrary Code Injection in the mysql2 package versions prior to 3.9.7. It stems from insufficient sanitization of the 'timezone' parameter, potentially leading to remote code execution. Exploitation is relatively easy due to input validation flaws.
Affected Software
Technical Details
The vulnerability lies within the 'readCodeFor' function of the mysql2 package, specifically in how it handles the 'timezone' parameter. Insufficient sanitization of this parameter allows an attacker to inject arbitrary code. When a native MySQL Server date/time function is called with the unsanitized 'timezone' value, the injected code is executed, leading to arbitrary code execution on the system running the vulnerable package.
What is the Impact of CVE-2024-21511?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data manipulation, and denial of service.
What is the Exploitability of CVE-2024-21511?
Exploitation of this vulnerability appears to be of medium complexity. It requires remote access to an application utilizing the vulnerable mysql2 package. No prior authentication or elevated privileges are explicitly mentioned as prerequisites, suggesting it could be exploited by an unauthenticated attacker. The primary attack vector involves crafting malicious input for the 'timezone' parameter, which is then processed by the 'readCodeFor' function. The ease of exploitation is heightened by the improper sanitization, making it vulnerable to direct injection attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21511?
About the Fix from Resolved Security
The patch prevents code injection by properly escaping the user-supplied timezone parameter using a safe escaping function before embedding it in generated code, instead of directly concatenating it as a string. This mitigates CVE-2024-21511, which allowed attackers to inject arbitrary JavaScript by crafting malicious timezone values, leading to potential code execution in affected environments.
Available Upgrade Options
- mysql2
- <3.9.7 → Upgrade to 3.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21511
- https://github.com/sidorares/node-mysql2/pull/2608
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
- https://github.com/sidorares/node-mysql2/pull/2608
- https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
- https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
- https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
- https://github.com/sidorares/node-mysql2
- https://osv.dev/vulnerability/GHSA-4rch-2fh8-94vw
What are Similar Vulnerabilities to CVE-2024-21511?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2017-5638 , CVE-2019-11581 , CVE-2020-13935
