CVE-2024-20972: 
MySQL vulnerability analysis and mitigation

CVE-2024-20972 is a vulnerability in the MySQL Server product of Oracle MySQL, specifically affecting the Server Optimizer component. The vulnerability affects MySQL Server versions 8.0.35 and prior, and 8.2.0 and prior. This is an easily exploitable vulnerability that allows high privileged attackers with network access via multiple protocols to compromise MySQL Server (Oracle Advisory).

The vulnerability has been assigned a CVSS 3.1 Base Score of 4.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires high privileges and network access, but has low attack complexity and requires no user interaction. The scope is unchanged, with no impact on confidentiality or integrity, but high impact on availability (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (Oracle Advisory).

Oracle has released patches to address this vulnerability in the January 2024 Critical Patch Update. Users are strongly recommended to update to the patched versions of MySQL Server. The fix is included in MySQL version 8.0.36 (Red Hat Advisory).

The vulnerability was discovered and reported by researchers Jie Liang, Jingzhou Fu, and Zhiyong Wu of WingTecher Lab of Tsinghua University (Oracle Advisory).