CVE-2023-39021: 
Java vulnerability analysis and mitigation

wix-embedded-mysql v4.6.1 and below contains a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. The vulnerability was discovered and disclosed on July 28, 2023, affecting the MySQL distribution setup functionality of the package. This vulnerability is tracked as CVE-2023-39021 and has been assigned a critical CVSS score of 9.8 (NVD).

The vulnerability exists in the Setup.apply method within com.wix.mysql.distribution.Setup.java. The method is designed to set up MySQL but fails to properly validate input arguments, allowing for arbitrary command execution. The vulnerability can be exploited by passing an unchecked argument to the API through the IExtractedFileSet interface, specifically via the executable() method (GitHub POC).

If exploited, this vulnerability allows attackers to execute arbitrary code through the affected component. Given its CVSS score of 9.8, it is considered critical with potential for significant system compromise (NVD, FortiGuard).

Users should avoid using versions 4.6.1 and below of wix-embedded-mysql. The recommended action is to upgrade to a version higher than 4.6.2. For those unable to upgrade immediately, implementing strict validation of IExtractedFileSet.executable() returns to ensure it only points to valid MySQL executable paths is suggested (FortiGuard).