Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mysql-1.6.8.tgz: 5 vulnerabilities (highest severity is: 9.8) #154

Open
mend-bolt-for-github bot opened this issue Apr 11, 2024 · 0 comments
Open

mysql-1.6.8.tgz: 5 vulnerabilities (highest severity is: 9.8) #154

mend-bolt-for-github bot opened this issue Apr 11, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Apr 11, 2024
edited
Loading

Vulnerable Library - mysql-1.6.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mysql version) Remediation Possible**
CVE-2024-21511 Critical 9.8 mysql2-3.3.5.tgz Transitive 1.7.5
CVE-2024-21508 Critical 9.8 mysql2-3.3.5.tgz Transitive 1.7.5
CVE-2024-21512 High 8.2 mysql2-3.3.5.tgz Transitive 2.0.1
CVE-2024-21509 Medium 6.5 mysql2-3.3.5.tgz Transitive 1.7.5
CVE-2024-21507 Medium 6.5 mysql2-3.3.5.tgz Transitive 1.7.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21511

Vulnerable Library - mysql2-3.3.5.tgz

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • mysql-1.6.8.tgz (Root Library)
    • mysql2-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Publish Date: 2024-04-23

URL: CVE-2024-21511

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511

Release Date: 2024-04-23

Fix Resolution (mysql2): 3.9.7

Direct dependency fix Resolution (@keyv/mysql): 1.7.5

Step up your Open Source Security Game with Mend here

CVE-2024-21508

Vulnerable Library - mysql2-3.3.5.tgz

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • mysql-1.6.8.tgz (Root Library)
    • mysql2-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

Publish Date: 2024-04-11

URL: CVE-2024-21508

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508

Release Date: 2024-04-11

Fix Resolution (mysql2): 3.9.4

Direct dependency fix Resolution (@keyv/mysql): 1.7.5

Step up your Open Source Security Game with Mend here

CVE-2024-21512

Vulnerable Library - mysql2-3.3.5.tgz

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • mysql-1.6.8.tgz (Root Library)
    • mysql2-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

Publish Date: 2024-05-29

URL: CVE-2024-21512

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-29

Fix Resolution (mysql2): 3.9.8

Direct dependency fix Resolution (@keyv/mysql): 2.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-21509

Vulnerable Library - mysql2-3.3.5.tgz

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • mysql-1.6.8.tgz (Root Library)
    • mysql2-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Publish Date: 2024-04-10

URL: CVE-2024-21509

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509

Release Date: 2024-04-10

Fix Resolution (mysql2): 3.9.4

Direct dependency fix Resolution (@keyv/mysql): 1.7.5

Step up your Open Source Security Game with Mend here

CVE-2024-21507

Vulnerable Library - mysql2-3.3.5.tgz

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • mysql-1.6.8.tgz (Root Library)
    • mysql2-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Publish Date: 2024-04-10

URL: CVE-2024-21507

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507

Release Date: 2024-04-10

Fix Resolution (mysql2): 3.9.3

Direct dependency fix Resolution (@keyv/mysql): 1.7.5

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Apr 11, 2024
@mend-bolt-for-github mend-bolt-for-github bot changed the title mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 5.5) mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 6.5) Apr 16, 2024
@mend-bolt-for-github mend-bolt-for-github bot changed the title mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 6.5) mysql-1.6.8.tgz: 4 vulnerabilities (highest severity is: 9.8) Apr 24, 2024
@mend-bolt-for-github mend-bolt-for-github bot changed the title mysql-1.6.8.tgz: 4 vulnerabilities (highest severity is: 9.8) mysql-1.6.8.tgz: 5 vulnerabilities (highest severity is: 9.8) May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants