sql-lint-1.0.0.tgz: 5 vulnerabilities (highest severity is: 9.8)

[mend-for-jackfan.us.kg]

Vulnerable Library - sql-lint-1.0.0.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (sql-lint version)	Remediation Possible**	Reachability
CVE-2024-21511	Critical	9.8	mysql2-2.3.3.tgz	Transitive	N/A*	❌
CVE-2024-21508	Critical	9.8	mysql2-2.3.3.tgz	Transitive	N/A*	❌
CVE-2024-21512	High	8.2	mysql2-2.3.3.tgz	Transitive	N/A*	❌
CVE-2024-21509	Medium	6.5	mysql2-2.3.3.tgz	Transitive	N/A*	❌
CVE-2024-21507	Medium	6.5	mysql2-2.3.3.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21511

Vulnerable Library - mysql2-2.3.3.tgz

fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Dependency Hierarchy:

• sql-lint-1.0.0.tgz (Root Library)
  • ❌ mysql2-2.3.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Publish Date: 2024-04-23

URL: CVE-2024-21511

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21511

Release Date: 2024-04-23

Fix Resolution: mysql2 - 3.9.7

CVE-2024-21508

Vulnerable Library - mysql2-2.3.3.tgz

fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Dependency Hierarchy:

• sql-lint-1.0.0.tgz (Root Library)
  • ❌ mysql2-2.3.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

Publish Date: 2024-04-11

URL: CVE-2024-21508

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21508

Release Date: 2024-04-11

Fix Resolution: mysql2 - 3.9.4

CVE-2024-21512

Vulnerable Library - mysql2-2.3.3.tgz

fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Dependency Hierarchy:

• sql-lint-1.0.0.tgz (Root Library)
  • ❌ mysql2-2.3.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

Publish Date: 2024-05-29

URL: CVE-2024-21512

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-29

Fix Resolution: mysql2 - 3.9.8

CVE-2024-21509

Vulnerable Library - mysql2-2.3.3.tgz

fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Dependency Hierarchy:

• sql-lint-1.0.0.tgz (Root Library)
  • ❌ mysql2-2.3.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Publish Date: 2024-04-10

URL: CVE-2024-21509

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21509

Release Date: 2024-04-10

Fix Resolution: mysql2 - 3.9.4

CVE-2024-21507

Vulnerable Library - mysql2-2.3.3.tgz

fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS

Library home page: https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz

Path to dependency file: /dependencies/package.json

Path to vulnerable library: /dependencies/package.json

Dependency Hierarchy:

• sql-lint-1.0.0.tgz (Root Library)
  • ❌ mysql2-2.3.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Publish Date: 2024-04-10

URL: CVE-2024-21507

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21507

Release Date: 2024-04-10

Fix Resolution: mysql2 - 3.9.3