CVE-2022-21265 in MySQL Server
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2022-21265 resides within the MySQL Server optimizer component of Oracle MySQL database systems, affecting versions 8.0.27 and earlier. This represents a significant security weakness that operates at the core of database query processing functionality. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this flaw effectively, making it particularly dangerous in environments where database administrators maintain elevated access levels. The attack vector through multiple protocols suggests that the vulnerability can be exploited across various network communication channels, increasing its potential impact surface.
The technical flaw manifests within the server optimizer module where the vulnerability allows attackers to manipulate database operations through unauthorized update, insert, or delete access to specific database records. This represents a direct compromise of data integrity as malicious actors can alter database content without proper authorization. Additionally, the vulnerability enables partial denial of service conditions that can disrupt database operations and reduce system availability. The CVSS 3.1 scoring system assigns a base score of 3.8, reflecting moderate severity with specific impacts to integrity and availability. The vector notation CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L indicates network-based access requirements, low attack complexity, high privilege requirements, no user interaction, and unspecified scope with limited integrity impact and moderate availability impact.
From an operational standpoint, this vulnerability creates substantial risk for organizations relying on MySQL databases for critical business operations. The high privilege requirement means that attackers typically need to already have administrative or elevated access to the system, but once achieved, the impact can be severe. The partial denial of service component can cause significant disruption to database services, affecting multiple applications that depend on database availability. The integrity compromise allows for data manipulation that could go undetected for extended periods, potentially leading to financial losses, regulatory violations, or operational disruptions. Organizations with multiple database instances or those running older MySQL versions are particularly vulnerable to this exploit.
Security professionals should consider this vulnerability in the context of broader attack frameworks such as MITRE ATT&CK, where it would map to techniques involving privilege escalation and data manipulation. The vulnerability aligns with CWE-20, which describes improper input validation, and represents a specific instance of how optimizer components can introduce security weaknesses. Mitigation strategies should include immediate patching of affected MySQL versions to 8.0.28 or later, implementing strict network segmentation to limit access to database servers, and employing comprehensive monitoring solutions to detect unauthorized database modifications. Additionally, organizations should review and enforce principle of least privilege access controls, ensuring that database administrative privileges are granted only to essential personnel and that regular access reviews are conducted. Network-level controls including firewalls and intrusion detection systems should be configured to monitor for suspicious database activity patterns that might indicate exploitation attempts.