CVE-2024-21053 in MySQL Serverinfo

Summary

by MITRE • 04/17/2024

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/06/2025

The vulnerability identified as CVE-2024-21053 represents a critical availability threat within Oracle MySQL Server version 8.0.34 and earlier releases. This flaw resides within the Server: DML component, which processes data manipulation language operations including select, insert, update, and delete commands. The vulnerability manifests as a denial of service condition that can be triggered by a high-privileged attacker who has network access to the MySQL server through multiple communication protocols. The attack vector requires network connectivity and elevated privileges, indicating that the threat actor must already possess administrative or root-level access to the system or have sufficient database permissions to exploit this weakness effectively.

The technical nature of this vulnerability stems from improper handling of certain data manipulation operations within the MySQL server's execution engine. When specific DML statements are processed under particular conditions, the server experiences a condition that leads to either a complete hang or a repeatedly crashable state, effectively rendering the database service unavailable to legitimate users and applications. This behavior constitutes a complete denial of service scenario where the MySQL server becomes unresponsive and requires manual intervention or system restart to restore normal operations. The vulnerability's classification as easily exploitable indicates that the attack mechanism requires minimal complexity to achieve the desired disruptive outcome, making it particularly concerning for production environments where database availability is critical.

The operational impact of CVE-2024-21053 extends beyond simple service interruption to potentially disrupt business operations that depend on MySQL database availability. Organizations running affected MySQL versions face significant risk of operational downtime that can cascade into broader system failures, especially in environments where database connectivity is fundamental to application functionality. The CVSS 3.1 score of 4.9, classified as moderate severity for availability impacts, reflects the substantial disruption potential despite requiring high privileges for exploitation. This vulnerability directly maps to CWE-400, which addresses "Uncontrolled Resource Consumption" or "Resource Exhaustion" in software systems, specifically targeting the availability aspect of the CIA triad. The attack scenario aligns with ATT&CK technique T1499.004, "Toggle Service State," where adversaries manipulate system services to cause denial of service conditions.

Organizations should prioritize immediate remediation by upgrading to MySQL Server version 8.0.35 or later, which contains the necessary patches to address this vulnerability. Additionally, implementing network segmentation and access controls can help limit the attack surface by restricting access to database servers to only authorized personnel and applications. Database administrators should monitor for unusual patterns in database server behavior and implement robust logging mechanisms to detect potential exploitation attempts. The mitigation strategy should include regular security assessments of database environments, proper privilege management to minimize the risk of insider threats, and maintaining current vulnerability management processes to ensure timely patch deployment across all affected systems. Organizations should also consider implementing database activity monitoring solutions that can detect anomalous DML operations that might indicate exploitation attempts.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00962

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!