Red Team or Advanced Rogue attacker can exploit this vulnerability to cause a crash or hang of MySQL Server.

CVSS 3.0 Base Score 5.3 (System information disclosure). Critical - If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses a critical risk. CVSS 3.0 Score 5.3 — System information disclosure Critical — If the user is not aware of the attack or does not have common protection against attacks, this vulnerability poses

Mitigation and Detection

Mitigation and Detection

CVE-2022-21641
Red Team or Advanced Rogue attacker can exploit this vulnerability to cause a crash or hang of MySQL Server.

Overview

There are 2 fields in the DB structure that are susceptible to causing a crash or hang of MySQL server.

The "field_name" and "field_table_name" field in the “information_schema” table for users with permissions to do so.
The “table” field in the “arbitrary_table” table.

Upgrade MySQL to version 5.6.x as soon as possible

Upgrade MySQL to version 5.6.x as soon as possible

Vulnerable code:

#define mysql_e_stmt_completed NULL

#define mysql_e_stmt_completed NULL

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References