CVE-2023-21940 in MySQL Serverinfo

Summary

by MITRE • 04/18/2023

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2023-21940 represents a significant availability risk within Oracle MySQL Server versions 8.0.32 and earlier. This flaw resides in the Server: Components Services component of the MySQL ecosystem, making it particularly concerning given the widespread use of MySQL in enterprise environments. The vulnerability's classification as difficult to exploit indicates that while it requires specific conditions to be successfully leveraged, the potential impact on system availability makes it a critical concern for database administrators and security professionals. The attack vector requires a high privileged attacker with network access through multiple protocols, suggesting that this vulnerability could be exploited by individuals who already have elevated access rights within the network environment or those who can establish connections through various network interfaces.

The technical nature of this vulnerability manifests as a complete denial of service condition that can cause MySQL Server to hang or experience frequently repeatable crashes. This behavior directly maps to the availability impact category as defined in the CVSS scoring system, where the base score of 4.4 reflects the severity of the potential disruption. The CVSS vector analysis reveals that the attack requires high privileges (PR:H) and high network accessibility (AC:H), indicating that while the attack itself is not trivial to execute, it can be accomplished by an attacker with sufficient access rights. The lack of user interaction requirements (UI:N) suggests that this vulnerability can be exploited automatically without requiring user involvement, making it particularly dangerous in automated attack scenarios.

The operational impact of CVE-2023-21940 extends beyond simple service disruption, as complete denial of service conditions can have cascading effects throughout enterprise systems that depend on MySQL database availability. Organizations running affected MySQL versions face the risk of production outages that can impact business continuity, data access, and application functionality. The vulnerability's potential to cause frequent crashes means that even partial exploitation could lead to ongoing service degradation rather than isolated incidents. This type of vulnerability aligns with ATT&CK technique T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion or service interruption, and may also relate to CWE-400, which covers "Uncontrolled Resource Consumption" in software systems. The availability impact of this vulnerability is particularly concerning for systems where database uptime is critical for business operations.

Mitigation strategies for CVE-2023-21940 should prioritize immediate patching of affected MySQL Server installations to version 8.0.33 or later, which contains the necessary security fixes. Network segmentation and access controls should be implemented to limit the attack surface and reduce the likelihood of unauthorized access to MySQL services. Organizations should also consider implementing monitoring solutions that can detect unusual patterns of database service disruption or resource consumption that might indicate exploitation attempts. Database administrators should review and tighten access controls to ensure that only authorized personnel have the necessary privileges to interact with MySQL services. Additionally, implementing redundant database systems or failover mechanisms can help maintain service availability even if individual MySQL instances are compromised by this vulnerability. The security community should remain vigilant for any indicators of exploitation attempts and maintain updated threat intelligence regarding this specific vulnerability's usage in real-world attacks.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

04/18/2023

Moderation

accepted

CPE

ready

EPSS

0.01294

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!