You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
mend-bolt-for-githubbot
changed the title
mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 5.5)
mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 6.5)
Apr 16, 2024
mend-bolt-for-githubbot
changed the title
mysql-1.6.8.tgz: 2 vulnerabilities (highest severity is: 6.5)
mysql-1.6.8.tgz: 4 vulnerabilities (highest severity is: 9.8)
Apr 24, 2024
mend-bolt-for-githubbot
changed the title
mysql-1.6.8.tgz: 4 vulnerabilities (highest severity is: 9.8)
mysql-1.6.8.tgz: 5 vulnerabilities (highest severity is: 9.8)
May 31, 2024
Vulnerable Library - mysql-1.6.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21511
Vulnerable Library - mysql2-3.3.5.tgz
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Found in base branch: main
Vulnerability Details
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Publish Date: 2024-04-23
URL: CVE-2024-21511
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511
Release Date: 2024-04-23
Fix Resolution (mysql2): 3.9.7
Direct dependency fix Resolution (@keyv/mysql): 1.7.5
Step up your Open Source Security Game with Mend here
CVE-2024-21508
Vulnerable Library - mysql2-3.3.5.tgz
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Found in base branch: main
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Publish Date: 2024-04-11
URL: CVE-2024-21508
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508
Release Date: 2024-04-11
Fix Resolution (mysql2): 3.9.4
Direct dependency fix Resolution (@keyv/mysql): 1.7.5
Step up your Open Source Security Game with Mend here
CVE-2024-21512
Vulnerable Library - mysql2-3.3.5.tgz
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Found in base branch: main
Vulnerability Details
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Publish Date: 2024-05-29
URL: CVE-2024-21512
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-29
Fix Resolution (mysql2): 3.9.8
Direct dependency fix Resolution (@keyv/mysql): 2.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-21509
Vulnerable Library - mysql2-3.3.5.tgz
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Found in base branch: main
Vulnerability Details
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Publish Date: 2024-04-10
URL: CVE-2024-21509
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509
Release Date: 2024-04-10
Fix Resolution (mysql2): 3.9.4
Direct dependency fix Resolution (@keyv/mysql): 1.7.5
Step up your Open Source Security Game with Mend here
CVE-2024-21507
Vulnerable Library - mysql2-3.3.5.tgz
Library home page: https://registry.npmjs.org/mysql2/-/mysql2-3.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b828a852c0c8aa892698c53e45ecff7b3a00e42
Found in base branch: main
Vulnerability Details
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Publish Date: 2024-04-10
URL: CVE-2024-21507
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507
Release Date: 2024-04-10
Fix Resolution (mysql2): 3.9.3
Direct dependency fix Resolution (@keyv/mysql): 1.7.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: