CVE-2023-22092 in MySQL Serverinfo

Summary

by MITRE • 10/25/2023

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2023-22092 resides within the MySQL Server optimizer component of Oracle MySQL database systems, affecting versions 8.0.34 and earlier. This issue represents a significant availability threat that can be exploited by attackers with high privileges and network access through multiple protocols. The vulnerability operates at the core optimization layer of the database server, where query execution plans are processed and executed, making it particularly dangerous as it can disrupt fundamental database operations.

The technical flaw manifests as a condition where specific optimizer operations can trigger a denial of service scenario leading to complete server crashes or indefinite hangs. This occurs when the server processes certain complex queries or optimization scenarios that cause memory management issues or internal state corruption within the optimizer module. The vulnerability's exploitability is classified as easily accessible due to the combination of high privilege requirements being relatively attainable in many database environments and the network-based attack vector that allows remote exploitation. The CVSS score of 4.9 reflects the high availability impact, as the vulnerability can cause complete service disruption rather than just partial functionality loss.

The operational impact of this vulnerability extends beyond simple service interruption, as database servers are critical infrastructure components that support numerous business applications and services. When compromised, the vulnerability can cause cascading failures across dependent systems, particularly in environments where MySQL serves as the primary data store for enterprise applications, web services, or transactional systems. The repeated crash scenario indicates that once exploited, the vulnerability can cause persistent service degradation rather than a one-time disruption, making it particularly problematic for maintaining database availability and reliability in production environments.

Organizations should prioritize immediate patching of affected MySQL Server installations to mitigate this vulnerability, as the combination of high privilege requirements and network accessibility makes it a realistic threat in many operational contexts. Security teams should implement network segmentation and access controls to limit exposure, while monitoring for unusual database behavior or connection patterns that might indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1499.004 for network denial of service and CWE-476 for null pointer dereference conditions in database optimization components. Additionally, implementing proper privilege management and regularly reviewing access controls can significantly reduce the attack surface, as the vulnerability requires high-privilege access to exploit effectively.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00925

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!