CVE-2024-21015 in MySQL Serverinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/06/2025

This vulnerability resides within the MySQL Server component known as Server: DML and affects specific versions including 8.0.34 and earlier, as well as 8.3.0 and earlier releases. The flaw represents a significant security concern as it can be exploited by attackers with high privileges who possess network access through multiple protocols. The vulnerability's classification as easily exploitable indicates that attackers with sufficient privileges can readily leverage this weakness to compromise the targeted MySQL server instances. The technical nature of the vulnerability manifests in two primary impact areas: complete denial of service through server hangs or repeated crashes, and unauthorized modification of data through update, insert, or delete operations on accessible server data.

The operational impact of this vulnerability extends beyond simple service disruption to encompass data integrity compromise. Attackers with high privileges can cause the MySQL server to become unresponsive or crash repeatedly, effectively rendering the database service unavailable to legitimate users. This complete denial of service scenario can severely disrupt business operations and data accessibility. Additionally, the vulnerability enables unauthorized data manipulation, allowing attackers to modify database contents through update, insert, or delete commands on portions of data that the compromised server has access to. The CVSS 3.1 score of 5.5 reflects the balanced severity across integrity and availability impacts, with the availability impact rated as high due to potential complete service disruption. The attack vector requires network access with high privileges, suggesting that the vulnerability may be exploited through authenticated connections or by attackers who have already gained elevated access to the system.

The technical flaw within the DML processing component of MySQL Server likely stems from inadequate input validation or improper handling of specific data manipulation operations. This allows maliciously crafted requests to trigger unexpected behavior in the server's processing logic, leading to either system instability or unauthorized data modification. The vulnerability's presence in both major version branches (8.0.x and 8.3.x) indicates a fundamental issue in the server's data manipulation handling that affects multiple release lines. Organizations running affected MySQL versions face a critical security risk that requires immediate attention. The CVSS vector analysis reveals that no user interaction is required for exploitation, and the attack complexity is low, making this vulnerability particularly dangerous in environments where privileged access might be compromised. This vulnerability aligns with CWE categories related to improper input validation and insufficient error handling, which are common entry points for database server compromises. The ATT&CK framework would classify this vulnerability under initial access and execution phases, where an attacker with elevated privileges could leverage this weakness to maintain persistent access or escalate their capabilities within the database environment.

Organizations should prioritize immediate patching of affected MySQL Server installations to mitigate this vulnerability. The recommended approach includes upgrading to MySQL versions that have addressed this specific flaw, typically through official Oracle security patches or updated package releases. System administrators should also implement network segmentation and access controls to limit the potential impact of privilege escalation scenarios. Monitoring for unusual database activity or service disruptions should be enhanced to detect potential exploitation attempts. Additionally, organizations should review their database access controls and privilege management to ensure that only necessary users maintain high-privilege accounts. The vulnerability's impact on both availability and integrity makes it particularly concerning for production environments where database reliability and data consistency are critical. Regular security assessments of database environments should be conducted to identify and remediate similar vulnerabilities that may exist in other database components or related systems.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00838

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!