CVE-2024-36039
adriaanmolendijk-tomtom opened this issue · 0 comments
adriaanmolendijk-tomtom commented
Hi Scalyr agent maintainers,
The Scalyr agent uses the Python MySQL client library, for which a critical SQL injection vulnerability injection has recently been discovered. At the time of opening this issue, the Python MySQL library version 0.9.3 is used. A patch is introduced in version 1.1.1, and upgrading to a version >= fixes the vulnerability.
Are you planning on fixing the vulnerability any time soon?
References
- CVE https://nvd.nist.gov/vuln/detail/CVE-2024-36039
- Python MySQL library 0.9.3 used in latest commit https://github.com/scalyr/scalyr-agent-2/blob/master/dev-requirements-new.txt#L19
- Python MySQL library 1.1.0 fixes the vulnerability https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1