CVE-2023-22065 in MySQL Serverinfo

Summary

by MITRE • 10/25/2023

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2023-22065 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.33 and earlier. This represents a critical availability-focused weakness that can be exploited by attackers with high privileges and network access through multiple protocols. The vulnerability's classification as easily exploitable indicates that the attack vector requires minimal complexity for successful exploitation, making it particularly concerning for database environments where MySQL servers are exposed to network traffic.

The technical flaw manifests within the server optimizer module, which is responsible for determining the most efficient execution plan for database queries. When specific conditions are met during query processing, the optimizer fails to properly handle certain operations, leading to system instability. This malfunction results in the MySQL Server experiencing either complete hangs or repeated crashes that can be triggered repeatedly by an attacker. The vulnerability's impact on system availability is severe, as it can cause complete denial of service conditions that prevent legitimate database access and operations.

From an operational perspective, this vulnerability poses significant risks to database environments where MySQL servers are accessible over networks and where attackers might have elevated privileges. The CVSS score of 4.9 indicates a medium severity impact on availability, but the combination of high privilege requirements and network accessibility means that organizations with exposed MySQL instances face substantial risk. The vulnerability's potential to cause repeated crashes can lead to extended downtime periods and may require system administrators to restart services multiple times, impacting business continuity and database availability.

Organizations should prioritize immediate patching of affected MySQL Server installations to address this vulnerability. The recommended mitigation strategy involves upgrading to MySQL Server version 8.0.34 or later, which contains the necessary fixes to prevent the optimizer malfunction. Additionally, network segmentation should be implemented to limit access to MySQL servers, ensuring that only authorized systems can reach these database services. Access controls should be strengthened to minimize the number of accounts with high privileges, as the vulnerability requires elevated access levels to exploit effectively. Security monitoring should be enhanced to detect unusual patterns of database crashes or connection failures that might indicate exploitation attempts. This vulnerability aligns with CWE-248, which addresses "Uncaught Exception" in software systems, and may be categorized under ATT&CK techniques related to denial of service and privilege escalation activities.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00926

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!