GHSA-73pr-g6jj-5hc9

Source

https://github.com/advisories/GHSA-73pr-g6jj-5hc9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-73pr-g6jj-5hc9/GHSA-73pr-g6jj-5hc9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-73pr-g6jj-5hc9

Aliases

CVE-2021-3779

Published

2022-06-29T00:00:27Z

Modified

2024-02-21T05:29:44.756734Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Externally Controlled Reference to a Resource in Another Sphere in ruby-mysql

Details

A malicious actor can read arbitrary files from a client that uses ruby-mysql to communicate to a rogue MySQL server and issue database queries. In these cases, the server has the option to create a database reply using the LOAD DATA LOCAL statement, which instructs the client to provide additional data from a local file readable by the client (and not a "local" file on the server).

Database specific

{
    "nvd_published_at": "2022-06-28T17:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2022-07-05T22:08:34Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-610"
    ]
}

References

Affected packages

RubyGems / ruby-mysql

Package

Name: ruby-mysql
Purl: pkg:gem/ruby-mysql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.0

Affected versions

2.*

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.9.14