CVE-2023-21912 in MySQL Server
Summary
by MITRE • 04/18/2023
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.41 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2023-21912 represents a critical availability flaw within Oracle MySQL Server that affects versions 5.7.41 and earlier, as well as 8.0.30 and prior releases. This issue resides within the Server: Security: Privileges component of the MySQL ecosystem, making it particularly concerning for database administrators and security professionals who manage critical infrastructure. The vulnerability's classification as easily exploitable indicates that attackers with minimal technical expertise and network access can leverage this weakness without requiring authentication credentials, significantly broadening the attack surface and potential impact.
The technical nature of this vulnerability stems from improper privilege handling within the MySQL server implementation, which allows unauthorized network access to trigger a denial of service condition. When exploited, the vulnerability can cause the MySQL server to hang or repeatedly crash, effectively rendering the database service unavailable to legitimate users and applications. This behavior directly maps to the availability impact component of the CIA triad, where the compromise of system availability can severely disrupt business operations and data access. The CVSS 3.1 scoring of 7.5 reflects the high severity of this issue, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicating network-based exploitation with low attack complexity, no privilege requirements, and no user interaction needed, while the high availability impact score demonstrates the potential for complete service disruption.
From an operational perspective, this vulnerability poses significant risks to organizations that rely heavily on MySQL databases for their core business operations. The ability for unauthenticated attackers to cause repeated crashes or hangs can lead to extended downtime, data loss, and potential financial impact due to service interruptions. The multi-protocol nature of the vulnerability means that attackers can exploit it through various network communication channels, making defense-in-depth strategies crucial for protection. Organizations using affected MySQL versions must prioritize immediate remediation efforts, as the vulnerability can be leveraged by automated scanning tools and malicious actors without requiring sophisticated attack techniques.
Security practitioners should consider this vulnerability in the context of broader attack frameworks such as MITRE ATT&CK, where it aligns with techniques involving privilege escalation and denial of service attacks. The vulnerability may also relate to CWE-200 (Information Exposure) and CWE-400 (Uncontrolled Resource Consumption) classifications, as it enables unauthorized users to consume system resources and potentially expose sensitive information through database access. Mitigation strategies should include immediate patching of affected MySQL versions to the latest releases, implementation of network-level access controls such as firewalls and intrusion detection systems, and monitoring for unusual connection patterns or service disruptions that may indicate exploitation attempts. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other potential entry points and ensure proper network segmentation to limit the impact of such attacks on critical database infrastructure.