CVE-2020-14893 in MySQL Serverinfo

Summary

by MITRE • 10/21/2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/09/2025

The vulnerability identified as CVE-2020-14893 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.21 and earlier. This represents a significant availability-focused weakness that operates at the core of database query processing functionality. The affected component handles query optimization and execution planning, making it a critical pathway for potential system compromise. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this flaw without requiring extensive technical expertise or specialized tools.

The technical flaw manifests as a condition where specific query patterns can trigger a denial of service scenario within the MySQL server process. When exploited, the vulnerability causes the MySQL server to either hang indefinitely or experience frequently repeatable crashes that effectively render the database service unavailable. The underlying mechanism involves how the optimizer processes certain complex query structures, leading to memory corruption or resource exhaustion conditions that result in complete system unresponsiveness. This behavior aligns with CWE-121, which describes heap-based buffer overflow conditions, and demonstrates how optimization routines can become attack vectors when not properly validated.

The operational impact of this vulnerability extends beyond simple service disruption to encompass complete database availability compromise. Organizations relying on MySQL 8.0.21 or earlier versions face significant risk of service interruption that can affect business operations, data availability, and overall system reliability. The high privilege requirement for exploitation suggests that attackers must already have elevated access to the system, but this does not mitigate the severity of potential impact. The vulnerability's availability impact score of 4.9 on the CVSS scale indicates substantial risk to system uptime and service continuity, particularly in environments where database availability is critical for business operations. This vulnerability can be exploited through multiple network protocols, amplifying its potential attack surface and making it more challenging to defend against.

From a defensive perspective, organizations should prioritize immediate patching to address this vulnerability in affected MySQL 8.0.21 and earlier installations. The recommended mitigation strategy involves upgrading to MySQL version 8.0.22 or later, which contains the necessary fixes for this optimizer-related flaw. Network segmentation and access controls should be reinforced to limit exposure of MySQL services to untrusted networks, while monitoring systems should be enhanced to detect unusual patterns of query execution that might indicate exploitation attempts. Security teams should also implement regular vulnerability assessments and penetration testing to identify similar issues in database components, as this vulnerability demonstrates the importance of thorough validation of optimization routines. The ATT&CK framework categorizes this vulnerability under the T1499 technique for network denial of service, emphasizing the need for robust availability controls and incident response procedures to maintain database service integrity and prevent exploitation.

Responsible

Oracle

Reservation

06/19/2020

Disclosure

10/21/2020

Moderation

accepted

CPE

ready

EPSS

0.02096

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!