CVE-2021-2385 in MySQL Server
Summary
by MITRE • 07/21/2021
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/17/2025
The vulnerability identified as CVE-2021-2385 represents a critical security flaw within Oracle MySQL Server's replication component that affects multiple version ranges including 5.7.34 and earlier, as well as 8.0.25 and prior releases. This vulnerability falls under the Common Weakness Enumeration category CWE-121, which deals with buffer overflow conditions, and specifically impacts the server's replication functionality that handles data synchronization between MySQL instances. The flaw manifests in the server's handling of certain replication operations that process data from remote sources, creating a potential attack vector that could be exploited by malicious actors with network access and elevated privileges.
The technical nature of this vulnerability stems from improper handling of replication data within the MySQL Server architecture, where an attacker with high privileges and network access can manipulate replication streams to trigger memory corruption issues. The attack requires an attacker to possess elevated privileges within the MySQL environment, which aligns with the CVSS vector's requirement for high privilege access (PR:H). The vulnerability's exploitability difficulty is rated as high (AC:H) due to the specific conditions required for successful exploitation, including the need for network connectivity and administrative access to the MySQL server. The impact assessment reveals that successful exploitation can lead to complete denial of service conditions where the MySQL server becomes unresponsive or crashes repeatedly, while simultaneously allowing unauthorized modification of database content through update, insert, or delete operations.
The operational consequences of this vulnerability extend beyond simple service disruption to include potential data integrity compromise and unauthorized access to sensitive database information. When a MySQL server experiences a complete denial of service through this vulnerability, it can severely impact business operations that depend on database availability, potentially causing cascading failures across applications that rely on MySQL for data persistence. The integrity impact of CVSS score 5.0 indicates that attackers can modify data within the MySQL server, which could result in data corruption, unauthorized access to confidential information, or manipulation of business-critical data. The availability impact is equally concerning as the vulnerability can cause the MySQL server to hang or crash repeatedly, effectively rendering the database service unavailable to legitimate users and applications.
Organizations should implement multiple layers of defense to mitigate this vulnerability, beginning with immediate patching of affected MySQL versions to the latest available releases that contain fixes for this replication flaw. The remediation process should include thorough testing of patches in development environments before deployment to production systems to ensure compatibility with existing applications and database configurations. Network segmentation and access controls should be strengthened to limit the attack surface by restricting network access to MySQL servers to only trusted sources and authorized administrative users. Monitoring systems should be enhanced to detect unusual replication activities or patterns that might indicate exploitation attempts, and intrusion detection systems should be configured to alert on potential exploitation indicators. Additionally, implementing principle of least privilege access controls and regular security audits of MySQL server configurations will help reduce the risk of privilege escalation that could lead to successful exploitation of this vulnerability. The ATT&CK framework's T1078 technique for valid accounts and T1499 for endpoint disruption directly relates to the exploitation patterns and impact of this vulnerability, making these considerations essential for comprehensive security posture improvement.