CVE-2022-21372 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21372 resides within Oracle MySQL Server's encryption component, specifically affecting versions 8.0.27 and earlier. This flaw represents a significant security concern for database environments that rely on MySQL's encryption capabilities for data protection. The vulnerability operates at the server level and is categorized under the broader security encryption framework, making it particularly concerning for organizations that depend on robust data encryption mechanisms to protect sensitive information. The affected component is part of MySQL's server security infrastructure, which handles various encryption protocols and mechanisms that are fundamental to database security operations.

This vulnerability manifests as an easily exploitable issue that requires only high privileged access and network connectivity through multiple protocols to be successfully leveraged. The attack vector is particularly dangerous because it can be executed from external networks, potentially allowing malicious actors to compromise the MySQL server through various communication protocols. The CVSS score of 2.7 indicates a low to medium severity impact, yet the partial denial of service condition poses substantial operational risks to database availability and system reliability. The vulnerability's classification as requiring high privileges suggests that it may be accessible to users with administrative or elevated permissions, though the network accessibility component means that attackers could potentially escalate their privileges through this vector.

The operational impact of this vulnerability extends beyond simple service disruption, as it can result in partial denial of service conditions that affect MySQL Server availability. This partial DOS condition can significantly impact database operations, potentially causing delays in query processing, connection timeouts, and reduced system responsiveness. Organizations utilizing MySQL Server for mission-critical applications face substantial risk from this vulnerability, as database unavailability can cascade into broader business disruption. The vulnerability's potential to affect multiple protocols means that attackers can exploit it through various communication channels, making detection and mitigation more challenging for security teams.

Security mitigation strategies should focus on immediate patching of affected MySQL Server versions to address the encryption component flaw. Organizations should implement network segmentation and access controls to limit exposure of MySQL servers to untrusted networks, reducing the attack surface for potential exploitation. Monitoring network traffic for unusual patterns and implementing intrusion detection systems can help identify attempted exploitation of this vulnerability. The vulnerability aligns with CWE-284 (Improper Access Control) and may map to ATT&CK techniques involving privilege escalation and service availability attacks. Regular security assessments and vulnerability scanning should be implemented to identify similar weaknesses in database encryption implementations, ensuring comprehensive protection against related threats. System administrators should also consider implementing additional logging and monitoring capabilities around encryption-related operations to detect potential exploitation attempts.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.00878

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!