Sidorares Mysql2 vulnerabilities
5 known vulnerabilities affecting sidorares/mysql2.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2024-21508P2CRITICAL≥ 0, < 3.9.42024-04-11
CVE-2024-21508 [CRITICAL] CWE-94 mysql2 Remote Code Execution (RCE) via the readCodeFor function
mysql2 Remote Code Execution (RCE) via the readCodeFor function
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values.
ghsaosv
CVE-2024-21511P3CRITICAL≥ 0, < 3.9.72024-04-23
CVE-2024-21511 [CRITICAL] CWE-94 MySQL2 for Node Arbitrary Code Injection
MySQL2 for Node Arbitrary Code Injection
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
ghsaosv
CVE-2024-21512P3HIGH≥ 0, < 3.9.82024-05-30
CVE-2024-21512 [HIGH] CWE-1321 mysql2 vulnerable to Prototype Pollution
mysql2 vulnerable to Prototype Pollution
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
ghsaosv
CVE-2024-21509P4MEDIUMCVSS 6.5fixed in 3.9.42024-04-10
CVE-2024-21509 [MEDIUM] CWE-1321 CVE-2024-21509: Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure re
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
ghsanvdosv
CVE-2024-21507P4MEDIUMCVSS 5.3fixed in 3.9.32024-04-10
CVE-2024-21507 [MEDIUM] CWE-20 CVE-2024-21507: Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
ghsanvdosv