CVE-2024-20978 in MySQL Serverinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2024-20978 resides within the MySQL Server optimizer component of Oracle MySQL database systems, representing a significant availability risk that can be exploited by attackers with high privileges and network access. This flaw affects MySQL Server versions 8.0.35 and earlier, as well as 8.2.0 and earlier releases, making it a widespread concern across multiple supported versions. The vulnerability's classification as easily exploitable indicates that sophisticated attackers with elevated privileges can leverage network protocols to compromise system availability, potentially causing complete denial of service conditions that can severely impact database operations and business continuity. The CVSS 3.1 base score of 4.9 reflects the moderate to high severity of the availability impact, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H indicating network-based access requirements with low complexity, high privilege needs, and universal scope.

The technical nature of this vulnerability stems from flaws within the MySQL Server's optimizer module, which is responsible for determining the most efficient execution plan for database queries. When exploited, this vulnerability allows attackers to craft specific query patterns or manipulate database operations in a way that causes the MySQL server process to enter a state of indefinite hanging or frequent crashes. The optimizer component's failure to properly handle certain input conditions or query structures results in system instability that manifests as complete server downtime. This represents a critical weakness in the server's resource management and error handling mechanisms, particularly within the query optimization phase where the system processes and plans execution paths for database operations. The vulnerability's impact on system availability can be particularly devastating in production environments where database uptime is critical for business operations and application functionality.

From an operational perspective, the implications of CVE-2024-20978 extend beyond simple service disruption to encompass potential business impact through extended downtime and data accessibility issues. Organizations running affected MySQL versions face the risk of complete database service outages that can cascade into broader system failures, especially in environments where multiple applications depend on database connectivity. The high privilege requirement for exploitation suggests that this vulnerability is primarily targeted at attackers who have already gained administrative access to the system or have legitimate elevated privileges, making it particularly concerning for environments where privilege escalation or insider threats are possible. The vulnerability's ability to cause complete DOS conditions means that recovery operations may require manual intervention, including server restarts, which can result in data loss or inconsistency issues if transactions are interrupted during the crash recovery process.

Security mitigations for this vulnerability should prioritize immediate patching of affected MySQL Server installations to the latest available versions that contain the necessary fixes. Organizations should implement network segmentation and access controls to limit the attack surface and reduce the likelihood of unauthorized access to privileged database accounts. Monitoring systems should be enhanced to detect unusual patterns in database server behavior, including unexpected restarts or performance degradation that could indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1499.004 for network denial of service and CWE-476 for null pointer dereference, indicating that defensive measures should include input validation and robust error handling mechanisms. Additionally, organizations should conduct thorough vulnerability assessments to identify and remediate any other potential weaknesses in their database infrastructure that could be exploited in conjunction with this vulnerability. Regular security audits and penetration testing should be implemented to verify the effectiveness of mitigations and ensure that the database environment remains resilient against similar threats.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.01031

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!