CVE-2021-35602 in MySQL Serverinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2021-35602 represents a significant security weakness in Oracle MySQL Server versions 8.0.26 and earlier, specifically within the Server: Options component. This flaw manifests as a difficult-to-exploit issue that requires an attacker with high privileges and network access through multiple protocols to successfully compromise the target system. The vulnerability's classification as a high-privilege attack vector indicates that malicious actors must already possess elevated credentials or access rights before they can leverage this weakness, making it somewhat less accessible than fully unprivileged exploits but still posing a serious threat to database security.

The technical nature of this vulnerability allows for complete denial of service conditions through hang or frequent crashes of the MySQL Server process, which can severely disrupt database operations and availability. Additionally, successful exploitation enables unauthorized modification capabilities including update, insert, and delete operations on specific portions of the database server's accessible data. This dual impact on both availability and integrity creates a particularly dangerous scenario where attackers can simultaneously disrupt services and corrupt or manipulate sensitive data. The CVSS 3.1 scoring system rates this vulnerability at 5.0, indicating a medium severity level with specific impacts to integrity and availability, while the attack vector requires network access with high privileges and no user interaction is needed.

From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and CWE-121 (Stack-based Buffer Overflow) categories, reflecting both access control weaknesses and potential buffer handling issues within the MySQL server implementation. The attack surface is particularly concerning given that the vulnerability affects the core server options component, which typically handles critical configuration and operational parameters. Organizations running affected MySQL versions face potential operational disruptions and data integrity risks, especially in environments where database availability is critical for business operations.

The mitigation strategy for CVE-2021-35602 primarily involves upgrading to Oracle MySQL Server version 8.0.27 or later, which contains the necessary patches to address this vulnerability. System administrators should also implement network segmentation and access controls to limit exposure to privileged network access points. Monitoring for unusual database server behavior or unauthorized access attempts can help detect potential exploitation attempts. Security teams should also conduct regular vulnerability assessments to identify other potential weaknesses in their MySQL deployments and ensure that all systems are running patched versions of the software. The ATT&CK framework categorizes this vulnerability under T1078 (Valid Accounts) and T1499 (Endpoint Denial of Service) tactics, highlighting the need for both account management and service availability monitoring as part of comprehensive defense strategies.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.01601

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!