CVE-2024-20964 in MySQL Serverinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/08/2025

This vulnerability resides within the MySQL Server security privilege subsystem and represents a significant availability threat that affects Oracle MySQL versions 8.0.35 and earlier, as well as 8.2.0 and earlier. The flaw manifests as a condition where low-privileged attackers with network access can exploit this weakness through multiple protocols to compromise the MySQL server. The vulnerability's classification as difficult to exploit indicates that while it requires some technical knowledge and specific conditions, the attack surface remains substantial given MySQL's widespread deployment across enterprise environments. The CVSS base score of 5.3 reflects the availability impact severity, with the vector indicating network access availability, high attack complexity, low privileges required, and no user interaction needed.

The technical nature of this vulnerability involves a flaw in how MySQL handles privilege checks or access controls within its server component, particularly affecting the security subsystem. This issue allows authenticated attackers with minimal privileges to potentially cause a denial of service condition that results in server hangs or frequent crashes. The complete denial of service capability means that legitimate users and applications depending on the MySQL server would experience complete unavailability of database services, which could cascade into broader system failures. The vulnerability's impact extends beyond simple service interruption as it affects the fundamental availability of critical database infrastructure that many applications depend upon.

From an operational perspective, this vulnerability presents a serious risk to database availability and business continuity, particularly in environments where MySQL serves as a core component of data infrastructure. The low privilege requirement means that even users with minimal database permissions could potentially trigger this condition, making it particularly dangerous in environments with broad user access or insufficient privilege management. The multiple protocol access vector increases the attack surface significantly, as attackers could leverage various network interfaces or connection methods to exploit this weakness. Organizations running affected MySQL versions face potential downtime, data access interruptions, and service degradation that could affect multiple applications and business processes depending on database availability.

The mitigation strategy should prioritize immediate patching of affected MySQL versions to the latest releases that contain the fix for this privilege escalation vulnerability. Organizations should also implement network segmentation and access controls to limit exposure of MySQL servers to untrusted networks and reduce the attack surface. Monitoring for unusual connection patterns or service disruptions should be enhanced to detect potential exploitation attempts. Additionally, implementing proper privilege management and least-privilege principles can help reduce the impact if exploitation occurs. This vulnerability aligns with CWE-284 Access Control Issues and maps to ATT&CK technique T1068 Privilege Escalation, specifically targeting the availability aspect of the attack. Security teams should also consider implementing database activity monitoring solutions that can detect anomalous behavior patterns consistent with denial of service attacks against database services.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.01023

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!