CVE-2022-21302 in MySQL Server
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2022-21302 resides within the InnoDB storage engine component of Oracle MySQL Server affecting versions 8.0.27 and earlier. This represents a significant availability-focused weakness that operates at the core database engine level where data storage and retrieval operations are managed. The flaw manifests as a denial of service condition that can be triggered through network-based attacks, making it particularly concerning for database environments where continuous availability is critical. The vulnerability's classification as difficult to exploit indicates that while the attack vector is not trivial, it remains a legitimate threat that requires immediate attention from database administrators and security teams responsible for maintaining MySQL installations.
The technical nature of this vulnerability stems from improper handling of specific database operations within the InnoDB storage engine that can lead to system instability when processed under certain conditions. Attackers with low privileges and network access can leverage multiple protocols to send malicious requests that trigger the flaw, causing the MySQL Server to either hang indefinitely or experience repeated crashes that effectively render the database service unavailable. This behavior aligns with the CVSS 3.1 scoring system which assigns a base score of 5.3 reflecting the availability impact severity, with the attack vector being network-based, requiring high complexity to exploit, and only low privilege levels from the attacker perspective. The vulnerability's potential to cause complete denial of service makes it particularly dangerous in production environments where database uptime is essential for business operations.
From an operational standpoint, this vulnerability presents a substantial risk to organizations relying on MySQL databases for critical business functions. The ability to cause repeated crashes or system hangs can result in extended downtime periods that may impact customer service, data integrity, and overall business continuity. The fact that this vulnerability affects the InnoDB storage engine means that any database operations involving transactions, indexing, or storage management could potentially trigger the flaw, making it particularly challenging to predict and prevent. Organizations using affected MySQL versions must consider the operational impact of this vulnerability on their database services, including potential data loss during crash recovery, increased administrative overhead for system monitoring, and possible regulatory compliance issues related to service availability.
Security professionals should prioritize immediate remediation efforts by upgrading to MySQL Server versions that have patched this vulnerability, as the affected versions 8.0.27 and prior contain no known workarounds that would effectively mitigate the risk. The vulnerability's classification under CWE-476 (NULL Pointer Dereference) and its alignment with ATT&CK techniques related to denial of service attacks indicates that it represents a fundamental weakness in the software's error handling mechanisms. Organizations should implement network segmentation strategies to limit access to MySQL services, employ intrusion detection systems to monitor for suspicious network traffic patterns, and establish robust backup and recovery procedures to minimize the impact of potential exploitation. Additionally, security teams should conduct thorough vulnerability assessments to identify all instances of affected MySQL versions within their infrastructure and develop incident response procedures that specifically address denial of service scenarios involving database services. The CVSS vector analysis confirms that while the attack complexity is high, the potential availability impact is severe enough to warrant immediate action regardless of the attacker's privileges or network position.