CVE-2019-2974 in MySQL Server
Summary
by MITRE
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/16/2025
The vulnerability identified as CVE-2019-2974 resides within the MySQL Server optimizer component of Oracle MySQL, affecting multiple version branches including 5.6.45 and earlier, 5.7.27 and earlier, and 8.0.17 and earlier. This represents a significant security flaw that operates at the core of MySQL's query processing capabilities, where the optimizer is responsible for determining the most efficient execution plan for database queries. The vulnerability's classification as easily exploitable indicates that attackers with minimal privileges and network access can leverage this weakness, making it particularly dangerous in production environments where database servers are accessible over networks.
The technical nature of this vulnerability stems from improper handling of certain optimizer operations that can lead to denial of service conditions. When an attacker crafts specific database queries that trigger the vulnerable code path within the optimizer, the MySQL Server process becomes susceptible to hanging or experiencing repeated crashes that effectively render the database service unavailable. This occurs because the optimizer's internal state management fails to properly handle certain edge cases during query execution planning, causing the server to enter an unstable state from which it cannot recover without manual intervention. The vulnerability operates through multiple network protocols, including TCP/IP connections, making it accessible via standard database connection methods and complicating network-based mitigation efforts.
The operational impact of CVE-2019-2974 is substantial, as it enables attackers with low privileges to achieve complete denial of service against MySQL Server instances. This availability impact can severely disrupt business operations, particularly in environments where database availability is critical for application functionality. The CVSS 3.0 base score of 6.5 reflects the moderate to high severity of this vulnerability, considering that attackers need only network access and low privilege levels to exploit it successfully. The vulnerability's potential to cause frequent crashes means that even a single successful attack can result in prolonged service disruption, requiring system administrators to restart database services and potentially leading to data consistency issues. This type of vulnerability directly impacts the reliability and uptime of database systems, which are fundamental requirements for most enterprise applications.
From a cybersecurity perspective, this vulnerability aligns with CWE-121, which describes heap-based buffer overflow conditions, and follows patterns commonly associated with the ATT&CK technique T1499.004 for network denial of service attacks. Organizations should implement immediate mitigations including applying the latest security patches from Oracle, which address the specific optimizer code path that causes the instability. Network segmentation and access controls should be strengthened to limit exposure of MySQL servers to untrusted networks, while monitoring solutions should be deployed to detect unusual patterns of database connection attempts that might indicate exploitation attempts. Additionally, implementing database firewalls and query filtering mechanisms can help prevent malicious queries from reaching the vulnerable optimizer component, providing defense-in-depth protection against this specific vulnerability that affects database server availability through manipulation of query execution planning processes.