CVE-2022-21362 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21362 represents a significant availability risk within Oracle MySQL Server versions 8.0.27 and earlier. This flaw resides within the Server: Information Schema component, which serves as a critical metadata repository for database operations and system information. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness to disrupt database services effectively.

The technical nature of this vulnerability stems from improper handling of certain information schema queries that can trigger memory corruption or resource exhaustion conditions within the MySQL server process. When exploited, these malformed queries cause the server to enter a state where it either becomes unresponsive or experiences repeated crashes that can only be resolved through manual intervention and service restarts. The attack vector requires network access and assumes an attacker already possesses high-privilege credentials, making this vulnerability particularly dangerous in environments where administrative access is compromised or where privilege escalation has occurred.

From an operational perspective, this vulnerability creates a complete denial of service condition that can severely impact database availability and business continuity. The repeated crashes make it difficult for administrators to maintain stable database operations, as the system may require frequent restarts to restore functionality. Organizations relying on MySQL for critical applications face potential downtime that could result in significant financial losses and service disruption. The CVSS score of 4.9 reflects the moderate to high impact on availability, though the requirement for high privileges and network access limits the overall exploitability compared to vulnerabilities requiring no authentication.

Security practitioners should prioritize patching affected MySQL installations to address this vulnerability, as Oracle has released updates to correct the information schema handling. Organizations should implement network segmentation to limit access to database servers and maintain strict access controls to prevent unauthorized administrative access. Monitoring for unusual database behavior or frequent service restarts can help detect exploitation attempts. This vulnerability aligns with CWE-121, which addresses buffer overflow conditions, and maps to ATT&CK technique T1499.004 for network denial of service attacks. The flaw demonstrates the importance of proper input validation and resource management in database server components, particularly those handling metadata queries. Organizations should conduct thorough security assessments of their database environments and ensure regular patch management processes are in place to address similar vulnerabilities proactively.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01360

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!