CVE-2024-21047 in MySQL Serverinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/06/2025

The vulnerability identified as CVE-2024-21047 resides within the InnoDB storage engine component of Oracle MySQL server implementations. This critical availability-focused flaw affects MySQL versions 8.0.36 and earlier, as well as version 8.3.0 and prior, representing a significant risk to database infrastructure integrity. The vulnerability operates at the core storage engine level where InnoDB manages data persistence and transaction handling, making it particularly dangerous as it directly impacts the fundamental database operations.

The technical nature of this vulnerability stems from insufficient input validation within the InnoDB storage engine's handling of specific database operations. Attackers with high privileged access and network connectivity can exploit this weakness through multiple protocols to trigger a condition that results in complete denial of service. The flaw manifests as an inability to process legitimate database requests properly, causing the MySQL server to either hang indefinitely or crash repeatedly, effectively rendering the database service unavailable to legitimate users and applications. This type of vulnerability typically involves improper memory management or buffer handling within the storage engine's internal processing logic.

From an operational impact perspective, this vulnerability creates a severe disruption to database availability, which can cascade into broader system failures across dependent applications and services. The CVSS 3.1 score of 4.9 indicates a moderate to high severity level for availability impacts, with the attack requiring only high privileges and network access, making it relatively accessible to determined attackers. Organizations running affected MySQL versions face potential business disruption, data access limitations, and service degradation that can affect critical applications relying on database functionality. The vulnerability's exploitability factor of low complexity and the requirement for only high privileges rather than extensive system access makes it particularly concerning for production environments.

Security mitigation strategies should focus on immediate patching of affected MySQL versions to the latest releases that contain the necessary fixes for this InnoDB storage engine vulnerability. Organizations should also implement network segmentation and access controls to limit privileged network access to database servers, reducing the attack surface for potential exploitation. Monitoring systems should be enhanced to detect unusual database server behavior or repeated connection failures that might indicate exploitation attempts. The vulnerability aligns with CWE-129, which addresses improper validation of array indices, and falls under ATT&CK technique T1499.1 for network denial of service attacks, emphasizing the importance of maintaining up-to-date database software and implementing proper access controls to prevent unauthorized privilege escalation.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00928

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!