CVE-2022-21303 in MySQL Server
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2022-21303 represents a critical availability risk within Oracle MySQL Server's stored procedure execution environment. This flaw exists in the server component responsible for handling stored procedures and affects specific version ranges including MySQL 5.7.36 and earlier versions, as well as MySQL 8.0.27 and prior releases. The vulnerability operates at a fundamental level within the database server's architecture where stored procedures are processed and executed, creating a potential pathway for malicious actors to disrupt normal database operations.
The technical nature of this vulnerability stems from improper handling of certain stored procedure operations that can lead to resource exhaustion or memory corruption conditions. When exploited, the flaw allows an attacker with high privileges and network access to manipulate the server's execution flow in a manner that can cause repeated crashes or complete system hangs. This represents a denial of service condition that can severely impact database availability and business continuity operations. The vulnerability's exploitability requires an attacker to possess elevated privileges within the database system, typically corresponding to administrative or root-level access, which aligns with the CVSS vector's PR:H classification indicating high privilege requirements.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire database infrastructure availability. Successful exploitation can result in complete system downtime that may affect critical business applications depending on MySQL for data persistence and retrieval. Organizations utilizing affected MySQL versions face significant risk of operational disruption, particularly in environments where database availability is paramount for business operations. The vulnerability's characteristics align with CWE-400, which addresses "Uncontrolled Resource Consumption," and the ATT&CK framework's T1499.004 technique for "Endpoint Denial of Service" through resource exhaustion attacks. The CVSS base score of 4.9 reflects the availability impact severity, though the low attack complexity and requirement for high privileges somewhat mitigate the overall risk profile.
Mitigation strategies for CVE-2022-21303 should prioritize immediate patching of affected MySQL installations to the latest supported versions that contain the necessary security fixes. Organizations should also implement network segmentation and access controls to limit exposure of MySQL servers to untrusted networks and reduce the attack surface available to potential attackers. Monitoring systems should be enhanced to detect unusual patterns of database server behavior that might indicate exploitation attempts. Additionally, implementing proper privilege management and least-privilege access controls can significantly reduce the risk of exploitation even if other security measures fail. Regular security assessments and vulnerability scanning should be conducted to identify and remediate similar issues across the database infrastructure. The remediation process should include thorough testing of patched environments to ensure that security updates do not introduce compatibility issues with existing database applications and stored procedures.