Описание
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
A flaw was found in the MySQL2 npm package. Affected versions of this package are vulnerable to remote code execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Отчет
The mysql2 dependency is inherited from upstream Backstage, which is designed to support various databases. However, RHDH exclusively supports PostgreSQL for production use, so this issue doesn't impact us.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh-operator-container | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
mysql2 Remote Code Execution (RCE) via the readCodeFor function
Уязвимость функции readCodeFor библиотеки для работы с базами данных mysql2, позволяющая нарушителю выполнить произвольный код
EPSS
9.8 Critical
CVSS3