CVE-2020-14765 in MySQL Server
Summary
by MITRE • 10/21/2020
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/16/2025
The vulnerability identified as CVE-2020-14765 represents a critical availability flaw within Oracle MySQL Server's Full Text Search (FTS) component. This weakness affects multiple version lines including 5.6.49 and earlier, 5.7.31 and earlier, and 8.0.21 and earlier releases, making it a widespread concern across the MySQL ecosystem. The vulnerability resides in the Server: FTS component, which handles full-text search operations that are fundamental to many database applications requiring text-based queries and indexing capabilities.
The technical nature of this vulnerability stems from improper handling of certain FTS operations that can trigger memory corruption or resource exhaustion conditions within the MySQL server process. Attackers with low privileges and network access can exploit this weakness through multiple protocols, including TCP/IP connections to the MySQL service port. The vulnerability's exploitability classification as "easily exploitable" indicates that the attack vectors are well-understood and accessible to threat actors with minimal specialized knowledge. The CVSS score of 6.5 reflects the significant availability impact, where successful exploitation results in complete denial of service conditions that can cause the MySQL server to hang or crash repeatedly.
The operational impact of CVE-2020-14765 extends beyond simple service disruption to potentially compromise entire database infrastructures that rely on MySQL for critical business operations. Organizations running affected MySQL versions face the risk of prolonged outages that can affect applications dependent on database availability, leading to business disruption and potential financial losses. The vulnerability's ability to cause "frequently repeatable crash" conditions means that even a single exploitation attempt can render the database service unavailable for extended periods, requiring manual intervention and system restarts to restore functionality.
Security practitioners should prioritize patching affected MySQL installations as the primary mitigation strategy, as Oracle has released patches addressing this vulnerability in newer versions of their database software. Network segmentation and access controls can provide additional defense-in-depth measures by limiting direct network access to MySQL services. Monitoring for unusual connection patterns or service disruptions can help detect exploitation attempts, while implementing proper firewall rules to restrict MySQL service access to trusted networks provides additional protection layers. The vulnerability aligns with CWE-121, which describes buffer overflow conditions, and represents a classic example of how memory safety issues in database engines can lead to complete service denial. Organizations should also consider implementing intrusion detection systems that can identify potential exploitation attempts through anomalous database query patterns or connection behaviors. This vulnerability demonstrates the importance of keeping database software updated and highlights the need for comprehensive vulnerability management programs that address both known and emerging threats in database environments. The availability impact classification of CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates that while the attack requires network access and low privileges, the consequences are severe enough to warrant immediate attention from security teams responsible for database infrastructure protection.