CVE-2024-21090 in MySQL Connectors
Summary
by MITRE • 04/17/2024
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 8.3.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/07/2025
The vulnerability identified as CVE-2024-21090 represents a critical availability issue within Oracle MySQL Connectors, specifically affecting Connector/Python versions 8.3.0 and earlier. This flaw resides in the MySQL Connectors component of Oracle MySQL, which serves as a crucial interface for Python applications to communicate with MySQL database systems. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where database connectivity is essential for business operations.
The technical nature of this vulnerability stems from insufficient input validation and error handling mechanisms within the Connector/Python implementation. Attackers can exploit this weakness by sending carefully crafted network requests through multiple protocols, potentially including TCP/IP connections that the connector accepts. The vulnerability manifests as a denial-of-service condition that can either cause the connector to hang indefinitely or crash repeatedly, effectively rendering the database connection layer unusable. This behavior aligns with CWE-400, which categorizes improper handling of input that can lead to resource exhaustion or system instability. The vulnerability's impact extends beyond simple disruption as it can compromise the entire application stack that depends on MySQL connectivity, potentially cascading into broader system failures.
The operational implications of this vulnerability are severe for organizations relying on MySQL Connectors for their database operations. A successful exploitation can result in complete service disruption, forcing applications to fail when attempting to establish database connections. This type of attack can be particularly devastating in high-availability environments where database connectivity is critical for business continuity. The CVSS 3.1 score of 7.5 reflects the significant availability impact, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicating that network-based attacks requiring no authentication or user interaction can cause high availability impacts. Organizations may experience extended downtime, service degradation, and potential financial losses due to the inability to access critical database resources. The vulnerability's impact is further exacerbated by the fact that it affects multiple protocols, meaning attackers can exploit it through various network channels, increasing the attack surface and making defense-in-depth strategies more challenging to implement.
Mitigation strategies should focus on immediate patching of affected systems, as Oracle has likely released security updates addressing this specific vulnerability. Organizations should also implement network segmentation and access controls to limit exposure of MySQL connectors to untrusted networks, aligning with ATT&CK technique T1190 for exploitation of remote services. Additional protective measures include implementing intrusion detection systems to monitor for suspicious network activity patterns that may indicate exploitation attempts, configuring firewalls to restrict unnecessary access to MySQL ports, and establishing robust monitoring protocols to detect connector instability or frequent crashes. Regular security assessments should be conducted to identify and remediate similar vulnerabilities in other database connector components. The remediation process must include comprehensive testing of patched environments to ensure that the vulnerability is fully resolved without introducing compatibility issues with existing applications. Organizations should also consider implementing redundant database connection mechanisms and failover strategies to minimize the impact of potential exploitation attempts on overall system availability and business operations.