CVE-2024-21511

Name of the Vulnerable Software and Affected Versions: mysql2 versions prior to 3.9.7

Description: The issue is related to improper sanitization of the timezone parameter in the readCodeFor function, which can lead to Arbitrary Code Injection when calling a native MySQL Server date/time function. This can allow a remote attacker to execute arbitrary code.

Recommendations: For versions prior to 3.9.7, update to version 3.9.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the readCodeFor function or sanitizing the timezone parameter to minimize the risk of exploitation.