CVE-2021-35640 in MySQL Serverinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2021-35640 represents a significant security weakness within Oracle MySQL Server's Data Definition Language processing component. This flaw exists in MySQL versions 8.0.26 and earlier, making it particularly concerning given the widespread adoption of this database system across enterprise environments. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness to compromise the integrity of database operations. The CVSS score of 2.7 reflects the relatively low impact on confidentiality but the moderate impact on integrity, highlighting the primary risk of unauthorized data modification.

The technical nature of this vulnerability stems from insufficient validation within the Server: DDL component of MySQL, which processes database schema changes and structural modifications. When an attacker with high privileges can establish network connections to the MySQL server, they can potentially manipulate the database through unauthorized update, insert, or delete operations on accessible data. This represents a privilege escalation scenario where existing elevated access can be leveraged to perform unauthorized data modifications. The vulnerability's impact is particularly dangerous because it operates at the database level, potentially allowing attackers to corrupt or manipulate critical business data, alter access controls, or undermine data integrity across the entire database system.

From an operational perspective, this vulnerability creates substantial risk for organizations relying on MySQL for critical data storage and management. The attack vector requires only network access and high privilege levels, suggesting that either internal attackers with elevated database permissions or external attackers who have already compromised administrative credentials could exploit this weakness. The potential for unauthorized data modification could lead to financial losses, compliance violations, and reputational damage, especially in regulated industries where data integrity is paramount. Organizations with complex database environments may face cascading effects if this vulnerability is used to manipulate critical data structures or access controls that govern multiple database objects.

Security practitioners should prioritize immediate patch management for this vulnerability, particularly in environments where high-privilege database accounts exist and network exposure is present. The remediation approach should include updating to MySQL version 8.0.27 or later, which contains the necessary fixes for this DDL validation issue. Additional mitigations should focus on network segmentation to limit direct access to database servers, implementing strict access controls for high-privilege accounts, and monitoring for unusual database modification patterns. This vulnerability aligns with CWE-20, which addresses "Improper Input Validation," and maps to ATT&CK technique T1078 for valid accounts and T1484 for data manipulation, highlighting the multi-faceted nature of the threat landscape this vulnerability creates. Organizations should also consider implementing database activity monitoring solutions to detect and alert on unauthorized schema modification attempts that could indicate exploitation of this vulnerability.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.01143

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!