CVE-2024-20974 in MySQL Serverinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

This vulnerability resides within the MySQL Server optimizer component of Oracle MySQL database systems, affecting versions 8.0.35 and earlier as well as 8.2.0 and prior releases. The flaw represents a significant availability risk that can be exploited by attackers with high privileges and network access through multiple protocols. The vulnerability's classification as easily exploitable indicates that attackers do not require specialized skills or extensive resources to leverage this weakness, making it particularly concerning for database environments where MySQL servers are exposed to network traffic.

The technical nature of this vulnerability involves a flaw in how the MySQL Server optimizer processes certain queries or operations, leading to potential system instability. When successfully exploited, the vulnerability can cause complete denial of service conditions where the MySQL server becomes unresponsive or experiences frequent crashes that require manual intervention to restore normal operation. This type of vulnerability directly impacts the availability aspect of the database system's security posture, as documented by the CVSS 3.1 Base Score of 4.9 which reflects the high impact on availability. The attack vector requires network access with high privileges, suggesting that the vulnerability may be exploitable through authenticated connections or when the server is accessible from untrusted networks.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire database operations within affected environments. Organizations running MySQL Server versions within the specified vulnerable ranges face risks of extended downtime, data access interruptions, and potential business continuity issues. The complete denial of service condition can affect applications that depend on database connectivity, leading to cascading failures throughout dependent systems. This vulnerability aligns with CWE-119 which addresses memory safety issues in software components, particularly those involving improper handling of data structures during query optimization processes.

From a threat modeling perspective, the vulnerability's CVSS vector indicates a network-based attack requiring high privileges but no user interaction, suggesting that attackers who have already gained elevated access to systems or networks containing MySQL servers could leverage this weakness. The lack of confidentiality and integrity impacts in the CVSS scoring suggests that while the primary effect is availability disruption, unauthorized data access or modification capabilities are not part of the threat surface for this specific vulnerability. Organizations should implement immediate mitigations including applying available patches from Oracle MySQL, restricting network access to MySQL servers, implementing proper privilege controls, and monitoring for suspicious network activity patterns. The ATT&CK framework would categorize this as a denial of service attack using system services manipulation techniques, potentially falling under the broader category of resource exhaustion or service disruption tactics that attackers use to compromise system availability.

Mitigation strategies should include prioritizing patch deployment for affected MySQL versions, implementing network segmentation to limit access to database servers, enforcing strict authentication controls, and establishing robust monitoring systems to detect potential exploitation attempts. Database administrators should also conduct thorough vulnerability assessments to identify any additional weak points in their MySQL server configurations that could amplify the impact of this vulnerability or similar threats. Regular security audits and penetration testing exercises can help organizations better understand their exposure to such availability-focused attacks while maintaining compliance with industry standards for database security management and protection against known vulnerabilities.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00881

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!