CVE-2021-3779

Name of the Vulnerable Software and Affected Versions ruby-mysql versions prior to 2.10.0

Description The issue allows a malicious MySQL server to request local file content from a client using ruby-mysql without explicit authorization from the user. A malicious actor can read arbitrary files from a client that uses ruby-mysql to communicate to a rogue MySQL server and issue database queries. The server can create a database reply using the LOAD DATA LOCAL statement, which instructs the client to provide additional data from a local file readable by the client.

Recommendations For versions prior to 2.10.0, update to version 2.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the LOAD DATA LOCAL statement until a patch is available. Avoid using the LOAD DATA LOCAL statement in the affected API endpoint until the issue is resolved.