CVE-2020-2812 in MySQL Server
Summary
by MITRE
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/16/2025
The vulnerability identified as CVE-2020-2812 represents a critical availability risk within Oracle MySQL Server's stored procedure execution mechanism. This flaw exists in the server component responsible for handling stored procedures, affecting multiple version streams including 5.6.47 and earlier, 5.7.29 and earlier, and 8.0.19 and earlier releases. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness effectively. The attack vector operates through multiple network protocols, making the exploit surface broader and more accessible to threat actors. The CVSS base score of 4.9 reflects the significant availability impact, with a high availability impact rating of eight, demonstrating the potential for complete denial of service conditions.
The technical nature of this vulnerability stems from improper handling of stored procedure execution within the MySQL server architecture. When maliciously crafted stored procedures are executed, the server experiences conditions that lead to either complete hangs or frequently repeatable crashes. This behavior constitutes a denial of service attack where legitimate users and applications lose access to database services. The flaw specifically impacts the server's stored procedure component, which is a fundamental element of MySQL's database functionality. The vulnerability's exploitation requires an attacker with high privileges, suggesting that the attack typically involves authenticated users who already possess elevated access rights within the database environment.
The operational impact of CVE-2020-2812 extends beyond simple service disruption to potentially compromise entire database operations and business continuity. When the MySQL server experiences hangs or crashes due to this vulnerability, database applications that depend on these services face complete service outages. The repeated nature of the crashes makes this vulnerability particularly dangerous as it can lead to sustained denial of service conditions rather than isolated incidents. Organizations relying on MySQL databases for critical operations face significant risk of operational disruption, data access limitations, and potential revenue impacts. The vulnerability affects the core database server functionality, making it a high-priority concern for database administrators and security teams responsible for maintaining service availability.
Security mitigations for this vulnerability primarily focus on immediate patching and version upgrades to unaffected MySQL releases. Organizations should prioritize applying the official Oracle patches released for this vulnerability, particularly upgrading to versions beyond the affected releases mentioned in the CVE description. Network segmentation and access controls should be enhanced to limit the attack surface and prevent unauthorized access to database servers. Monitoring systems should be configured to detect unusual patterns of server hangs or crashes that might indicate exploitation attempts. The vulnerability's classification under CWE 119 indicates memory access issues, suggesting that defensive programming practices and input validation should be strengthened. Additionally, implementing the principle of least privilege and reducing the number of high-privileged accounts can limit the potential impact of successful exploitation attempts. Organizations should also consider implementing database activity monitoring solutions to detect anomalous stored procedure execution patterns that might precede or accompany exploitation of this vulnerability.