CVE-2024-20961 in MySQL Serverinfo

Summary

by MITRE • 01/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/20/2025

The vulnerability identified as CVE-2024-20961 resides within the MySQL Server optimizer component of Oracle MySQL database systems. This flaw affects specific versions including 8.0.35 and earlier releases, as well as 8.2.0 and prior versions, making it a significant concern for database administrators managing these software versions. The vulnerability operates within the server-side optimization logic that processes database queries and execution plans, representing a critical point of failure in the database engine's core functionality.

This security weakness manifests as an easily exploitable flaw that requires minimal privileges for successful exploitation. An attacker with network access through multiple protocols can leverage this vulnerability to compromise MySQL Server operations. The attack vector is particularly concerning because it does not require elevated privileges, meaning even users with limited database access could potentially exploit this weakness. The vulnerability specifically targets the server's optimizer module, which is responsible for determining the most efficient execution paths for database queries, making it a fundamental component of database performance and stability.

The operational impact of successfully exploiting CVE-2024-20961 is severe and directly affects system availability. Attackers can cause complete denial of service conditions by inducing hangs or creating frequently repeatable crashes within the MySQL Server. This results in complete system unavailability, effectively preventing legitimate database operations from proceeding normally. The CVSS base score of 6.5 reflects the high availability impact, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicating network-based access with low complexity, low privilege requirements, and high availability impact. The vulnerability's classification under CWE-119 (Improper Access to Stored Data) and its alignment with ATT&CK technique T1499.004 (Endpoint Denial of Service) demonstrates its potential for causing widespread operational disruption.

Organizations should prioritize immediate patching of affected MySQL Server installations to address this vulnerability. The recommended mitigation strategy involves upgrading to versions that contain the security fixes for CVE-2024-20961, specifically targeting MySQL 8.0.36 or later, and 8.2.1 or later releases. Network segmentation and access controls should be implemented to limit exposure, while monitoring systems should be configured to detect unusual patterns of database connection failures or performance degradation that might indicate exploitation attempts. Database administrators should also consider implementing additional security measures such as connection throttling and query execution monitoring to reduce the potential impact of any successful exploitation attempts.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

01/17/2024

Moderation

accepted

CPE

ready

EPSS

0.01104

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!