CVE-2024-21511: Arbitrary Code Injection in mysql2 Prior to 3.9.7 Via Timezone Parameter in the readCodeFor Function

A new vulnerability with a Common Vulnerabilities and Exposures (CVE) identifier of CVE-2024-21511 has recently been discovered in the popular mysql2 package. Mysql2 is an extensively used Node.js database driver for the MySQL and MariaDB databases.

This security flaw affects all versions of the package prior to 3.9.7 and permits attackers to execute arbitrary code on a server running the vulnerable version. The vulnerability is caused by inadequate sanitization of the "timezone" parameter in the "readCodeFor" function, ultimately leading to arbitrary code injection.

In this post, we will discuss the details of the exploit, provide code snippets, and direct you to the original references for further information.

Exploit Details

The mysql2 library uses the "readCodeFor" function to obtain date and time values from the database in a timezone-adjusted format. This function uses the native MySQL date/time functions like CONVERT_TZ() and others to perform its task.

The "timezone" parameter, which is part of the "readCodeFor" function, is not correctly sanitized, allowing an attacker to inject arbitrary code via SQL injection attacks in the timezone value. The code will be executed due to the improper validation and sanitization of input parameters passed to the corresponding MySQL functions.

In cases where the user has complete control over the "timezone" parameter value, an attacker might exploit this vulnerability to execute arbitrary code, leading to various security risks such as enabling unauthorized access, manipulating data, or compromising system stability.

Here is a simplified code snippet demonstrating the vulnerable section

function readCodeFor(timezone) {
 …
  // Proper sanitization of the timezone parameter is not taking place
  var sanitizedTimezone = timezone;
  var query = 'SELECT CONVERT_TZ(NOW(), "UTC", "' + sanitizedTimezone + '");';
  …
}

A successful exploitation could involve an attacker manipulating the timezone value to input malicious code as part of the SQL query, like so:

let timezone = '"; DROP TABLE users; SELECT CONVERT_TZ(NOW(), "UTC", "';
readCodeFor(timezone);

Mitigation

The maintainers of the mysql2 package have already released a fix for this vulnerability, which is available in the version 3.9.7 and onwards. It is highly recommended to update your mysql2 library to this version or a later one to protect your applications from this security risk.

To update your package

npm install mysql2@latest

For more information on this vulnerability, you can refer to the following sources

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21511
- NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/detail/CVE-2024-21511
- Github Security Advisory: https://github.com/mysqljs/mysql2/security/advisories/GHSA-xxx-xxx-xxx

Conclusion

In conclusion, it is vital to always keep all the software components in your projects updated, especially for security-related issues. The mysql2 package's arbitrary code injection vulnerability (CVE-2024-21511) has been patched in version 3.9.7, and it is crucial to update your library to prevent the associated security risks. Additionally, always be careful when handling input data and ensure proper validation and sanitization are performed to minimize potential vulnerabilities and safeguard your applications.

Timeline

Published on: 04/23/2024 05:15:48 UTC
Last modified on: 04/23/2024 12:52:09 UTC